Microsoft Database Engine Vulnerabilities Patched – BankInfoSecurity.com

Microsoft Database Engine Vulnerabilities Patched – BankInfoSecurity.com

Application Security , Governance & Risk Management , IT Risk Management
Researchers at Palo Alto Networks’ Unit 42 say they have demonstrated how exploits of Microsoft Jet Database Engine vulnerabilities could lead to remote attacks on Microsoft Internet Information Services and Microsoft SQL Server to gain system privileges. Microsoft says it recently patched the flaws.
See Also: Cloud-Delivered Security for the Digital Workspace
Palo Alto Networks did not report on whether any exploits using the vulnerabilities were found in the wild, however Tao Yan, security researcher with the Palo Alto Networks’ Unit 42 team tells Information Security Group that its researchers reported around 100 Jet vulnerabilities to Microsoft in 2020, though Microsoft only fixed a small number of them.
“It seems that Microsoft’s strategy is to mitigate the whole attack surface instead of fixing each individual vulnerability, one by one,” Yan says.
IIS is a general-purpose web server that runs on Windows, while SQL Server is a relational database management system.
Palo Alto Networks described the exploits in a presentation at the recent Black Hat Asia 2021 event.
The exploits take advantage of remote database access supported in Microsoft Jet Database Engine, including Jet Red Database Engine and Access Connectivity Engine, the researchers say.
“When misused, the feature allows attackers to execute SQL queries on the fully controlled database file on the remote attacker’s controlled server,” the researchers explain. “Once the remote legitimate database file is replaced with a malformed database file, executing SQL queries on it could break the code precondition and assumptions in Microsoft Jet/ACE, leading to vulnerabilities in many Jet components.
“The typical attack scenarios are SQL injection and ad hoc. In these two scenarios, attackers can execute any SQL queries on the malformed databases in the IIS and SQL server. The resulting Jet vulnerabilities will impact the IIS and SQL server.”
Users can assign a remote database when executing SQL queries on tables by adding a database path ahead of the table in MS Jet and using OPENDATASOURCE, OPENROWSET or addlinkedserver in ACE.
Remote database access allows attackers to replace a legitimate database with a malformed one, the researchers say.
During code development and testing in MS Jet and ACE, developers might not consider the possibility of the database being malformed, so the researchers decided to explore the idea of mutating both SQL queries and database files. It was using that fuzzing strategy that enabled the researchers to discovered the 100 vulnerabilities in MS Jet and ACE.
Most of the vulnerabilities could be used to attack IIS and SQL Server under SQL injection and ad hoc scenarios, the researchers say.
Palo Alto Networks says, “any components supporting MS Jet and ACE on Windows could be vulnerable, as long as the component allows users to execute any query on the controllable database with MS Jet and ACE.”
Microsoft has assigned the flaws the designation CVE-2021-28455 and released a patch.
The patch introduces an option to disable remote database access in the MS Jet component and ACE component.
By default, no changes are made to accessing the Jet Red Database Engine or the ACE by installing these updates, a Microsoft spokesperson tells Information Security Media Group. Plus, Microsoft has provided more information on blocking access to remote databases.
Microsoft recommends customers with any app compatibility issues consider additional security measures.
Although the patch mitigates the risks, it is not turned on by default – and most Jet vulnerabilities are still not patched, Palo Alto Networks says.
“The mitigation for the attack surface in ACE still remains imperfect, and we are working with Microsoft to release a complete patch for both MS Jet and ACE,” Yan told ISMG.
The Microsoft Jet Database Engine, including MS Jet and ACE, is over 20 years old, and a vast majority of the Jet modules have been found to be easily exploitable due to limited exploit mitigations, the researchers note.
“The remote database access feature connects the Jet vulnerabilities with IIS and SQL server components, thereby downgrading their security to the same level as the Jet Database Engine,” they add.
Assistant Editor, Global News Desk, ISMG
Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement
whitepaper
whitepaper
whitepaper
whitepaper
Artificial Intelligence & Machine Learning
Government
Artificial Intelligence & Machine Learning
Encryption & Key Management
Cryptocurrency Fraud
Continue »
90 minutes · Premium OnDemand 
Overview
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
Microsoft Database Engine Vulnerabilities Patched
Microsoft Database Engine Vulnerabilities Patched
Just to prove you are a human, please solve the equation:

Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.

source