Microsoft SQL Server 2014-2017 - Remote Code Execution (RCE) due to Incorrect Handling of Internal Functions (CVE-2019-1068)

Context

Microsoft SQL Server (Structured Query Language) is a proprietary relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications - which may run either on the same computer or on another computer across a network (including the Internet). Microsoft markets at least a dozen different editions of Microsoft SQL Server, aimed at different audiences and for workloads ranging from small single-machine applications to large Internet-facing applications with many concurrent users.

Vulnerability Summary

A critical vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions.

Technical Details

Microsoft have not released any technical details at the time of writing. However, a small team of security researchers have performed an analysis of the patch issued by Microsoft. Their conclusion is that this a stack based memory corruption in svl.dll. Specifically, the SvlPathUtilHasDriveLetter function was identified as processing a user-generated string, even if it wasn't in a valid path format. Originally, the function was using the iswalpha function to check if the first character of the user-controlled input string is between A and Z and that the second character of the string equals the ":" character.

Impact If Exploited

An attacker who successfully exploited this vulnerability could execute arbitrary (malicious) code in the context of the privileged SQL Server Database Engine service account.

To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted query to an affected SQL server. In this instance, security researchers have determined that it would require a crafted SQL query which includes a path value that triggers the vulnerable function.

Threat Landscape & Known Exploitation

Proof of Concept (POC) exploit code is readily available to attackers via the blog posts published by the team of researchers.

This vulnerability has not been reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2024-11-04. However, several hundred FortiGuard sensors have detected the active exploitation of this vulnerability as it relates to the delivery of the Mallox ransomware.

The Mallox ransomware, also referred to as 'FARGO' or 'TargetCompany', first appeared in June 2021. Initially, it targeted Microsoft Windows systems by exploiting unsecured Microsoft SQL servers. Over time, it has evolved to impact Linux systems and VMware ESXi environments as well. The ransomware attacks a wide range of industries, including manufacturing, technology, automotive, and banking. In recent years, Mallox has expanded its operations by adopting a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to extend its reach. Ransomware infection may cause disruption, damage to daily operations, potential impact to an organization's reputation and extortion.

CISA have previously published warnings of the earlier, active exploitation of several other vulnerabilities in Microsoft SQL Server products, including most recently CVE-2020-0618 in September 2024.

Affected Product Versions

• Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (GDR) prior to security update KB4057120

• Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (GDR) prior to security update KB4057120

• Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (CU) prior security update KB4491540 (SP2 CU17)

• Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (CU) prior security update KB4491540 (SP2 CU17)

• Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR) prior to security update KB4505422

• Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR) prior to security update KB4505422

• Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU) prior to security update KB4491539 (SP3 CU3)

• Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU) prior to security update KB4491539 (SP3 CU3)

• Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (GDR) prior to security update KB4458842

• Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU) prior to security update KB4495257 (SP1 CU15)

• Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR) prior to security update KB4293802

• Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU) prior to security update KB4495256 (SP2 CU7)

• Microsoft SQL Server 2017 for x64-based Systems (GDR) prior to security update KB4494351

• Microsoft SQL Server 2017 for x64-based Systems (CU) prior to security update KB4498951 (RTM CU15)

Indicators of Compromise (IoC)

(An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. These often include IP addresses involved in known exploitations. AppCheck provides this information both so that so customers can investigate potential breach, as well as take proactive actions such as blocking known malicious IPs or URIs in firewalls and application delivery controllers (IPs and URLs) or adding File Integrity Check rules (hashes).)

The vendor has not published a list of indicators of compromise (IoC) at the time of writing.

Official Remediation Guidance

Microsoft has resolved this vulnerability in its July 2019 patch cycle by modifying how the Microsoft SQL Server Database Engine handles the processing of functions. The patched function now includes a check for the third character of the input string to ensure that it is the "\" or "/" character.

Customers are advised to upgrade to the latest version of the impacted product by applying all the General Distribution Release (GDR) or Cumulative Update (CU) patches for the product. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. Install the update, and refer to the advisory for any further configuration that may be required. Note that Microsoft SQL Server 2014 is no longer supported and should be considered obsolete.

Due to ongoing active exploitation of this vulnerability, prioritisation should be given to the urgent remediation of vulnerable systems.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1068

Third-Party Analysis & Threat Intelligence

• https://fortiguard.fortinet.com/outbreak-alert/mallox-ransomware

Proof of Concept (PoC) and Exploit Code

• https://0xsaiyajin.github.io/vulnerability-research/2021/02/06/discovering-an-undisclosed-stack-overflow-vulnerability-in-mssql-server-cve-2019-1068.html

• https://medium.com/@fecassie/discovering-an-undisclosed-stack-overflow-vulnerability-in-microsoft-sql-server-cve-2019-1068-933b9df1a8b

• https://cems.fun/2021/02/06/cve-2019-1068.html