Microsoft Database Engine Vulnerabilities Patched
Application Security
,
Governance & Risk Management
,
IT Risk Management
Exploits Could Enable Remote Attacks on MS IIS and SQL
Researchers at Palo Alto Networks’ Unit 42 say they have demonstrated how exploits of Microsoft Jet Database Engine vulnerabilities could lead to remote attacks on Microsoft Internet Information Services and Microsoft SQL Server to gain system privileges. Microsoft recently patched the flaws.
See Also: Live Panel | How Organizations Should Think About Zero Trust
Palo Alto Networks did not report on whether any exploits using the vulnerabilities were found in the wild, and the company did not immediately respond to Information Security Media Group’s request for additional information.
IIS is a general-purpose web server that runs on Windows, while SQL Server is a relational database management system.
Palo Alto Networks described the exploits in a presentation at the recent Black Hat Asia 2021 event.
Exploit Analysis
The exploits take advantage of remote database access supported in Microsoft Jet Database Engine, including Jet Red Database Engine and Access Connectivity Engine, the researchers say.
“When misused, the feature allows attackers to execute SQL queries on the fully controlled database file on the remote attacker’s controlled server,” the researchers explain. “Once the remote legitimate database file is replaced with a malformed database file, executing SQL queries on it could break the code precondition and assumptions in Microsoft Jet/ACE, leading to vulnerabilities in many Jet components.
“The typical attack scenarios are SQL injection and ad hoc. In these two scenarios, attackers can execute any SQL queries on the malformed databases in the IIS and SQL server. The resulting Jet vulnerabilities will impact the IIS and SQL server.”
Users can assign a remote database when executing SQL queries on tables by adding a database path ahead of the table in MS Jet and using OPENDATASOURCE, OPENROWSET or addlinkedserver in ACE.
Remote database access allows attackers to replace a legitimate database with a malformed one, the researchers say.
During code development and testing in MS Jet and ACE, developers might not consider the possibility of the database being malformed, so the researchers decided to explore the idea of mutating both SQL queries and database files. “With that fuzzing strategy, we have discovered around 100 vulnerabilities in MS Jet and ACE,” Palo Alto Networks reports.
Most of the vulnerabilities could be used to attack IIS and SQL Server under SQL injection and ad hoc scenarios, the researchers say.
In addition, Palo Alto Networks says, “any components supporting MS Jet and ACE on Windows could be vulnerable, as long as the component allows users to execute any query on the controllable database with MS Jet and ACE.”
Mitigation
Microsoft has assigned the flaws the designation CVE-2021-28455 and released a patch.
The patch introduces an option to disable remote database access in the MS Jet component and ACE component. Instead of patching every JET vulnerability, it mitigates the whole attack surface.
By default, no changes are made to accessing the Jet Red Database Engine or the ACE by installing these updates, a Microsoft spokesperson tells Information Security Media Group. Plus, Microsoft has provided more information on blocking access to remote databases.
Microsoft recommends customers with any app compatibility issues consider additional security measures.
Palo Alto Networks: Patch Imperfect
Although the patch mitigates the risks, it is not turned on by default – and most Jet vulnerabilities are still not patched, Palo Alto Networks says.
“The mitigation for the attack surface in ACE still remains imperfect, and we are working with Microsoft to release a complete patch for both MS Jet and ACE,” it adds.
The Microsoft Jet Database Engine, including MS Jet and ACE, is over 20 years old, and a vast majority of the Jet modules have been found to be easily exploitable due to limited exploit mitigations, the researchers note.
“The remote database access feature connects the Jet vulnerabilities with IIS and SQL server components, thereby downgrading their security to the same level as the Jet Database Engine,” they add.