MS12-070 - Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849)

Click any highlighted term for further explanation. For more information, contact technical support.

 

Details
Vulnerability name/brief description MS12-070 - Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849)
CVE/CAN name
Vendor threat level Important
SophosLabs threat level Medium
Solution MS12-070
Vendor description This security update resolves a privately reported vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). The vulnerability could allow elevation of privilege if a user clicks a specially crafted link in an email message or browses to a webpage that is used to exploit the vulnerability. The XSS Filter in Internet Explorer 8, and Internet Explorer 9, and Internet Explorer 10 prevents this attack for Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 users when browsing to websites in the Internet Zone. The XSS Filter in Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 is not enabled by default in the Intranet Zone.
SophosLabs comments This privately reported elevation of privilege vulnerability happens due to the improper validation of an unencoded request parameter on the Report Manager SQL Server site by the SQL Server Report Manager. An attacker attempting to exploit this vulnerability would first craft a specially created file containing code in anticipation of a misinterpreted response to a very specific server side request. In this reflected XSS attack, the attack vector arises from the request itself. The Report Manager SQL Server would subsequently embed this script attack in response to to this request, causing the vulnerability to happen. This occurs because the responses to this request is unencoded and are being interpreted as code, rather than being treated as non-executable text content. It has to be noted that reflected cross-site scripting exploits are one of the most common modes of attacks by malware authors. While this vulnerability was disclosed privately and no samples using this exploit have been received, SophosLabs still urges users to update as soon as possible.
SophosLabs testing result No SophosLabs testing result found
Currently known exploits No currently known exploits found
First sample seen No samples found
Discovery date 08 Oct 2012
Affected software Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4[1]
Microsoft SQL Server 2005 for 32-bit Systems Service Pack 4[1]
Microsoft SQL Server 2005 for x64-based Systems Service Pack 4[1]
Microsoft SQL Server 2005 for Itanium-based Systems Service Pack 4[1]
Microsoft SQL Server 2008 for 32-bit Systems Service Pack 2[1]
Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3[1]
Microsoft SQL Server 2008 for x64-based Systems Service Pack 2[1]
Microsoft SQL Server 2008 for x64-based Systems Service Pack 3[1]
Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 2[1]
Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3[1]
Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 1[1]
Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 1[1]
Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 1[1]
Microsoft SQL Server 2012 for 32-bit Systems[1]
Microsoft SQL Server 2012 for x64-based Systems[1]
References
Credits
  • MAPP
Revisions
  • Oct 8, 2012 - Initial analysis written

Explanation of terms

Vulnerability Name/Brief Description:

Vendor identifier plus a brief description of the type of attack.

CVE/CAN Name:

Currently assigned CVE name. If a CVE name doesn't exist the CAN name will be used until a CVE has been assigned.

Vendor Threat Level:

Threat level assigned by the vendor

SophosLabs Threat Level:

Threat level assigned by SophosLabs

  • LOW RISK - There is little chance of this vulnerability being actively exploited by malware.
  • MEDIUM RISK - There is a possibility of this vulnerability being actively exploited by malware.
  • HIGH RISK - There is a strong possibility of this vulnerability being actively exploited by malware.
  • CRITICAL RISK - This vulnerability will almost certainly be actively exploited by malware.

Solution:

Vendor-supplied Patch identifier and recommended solution, or workaround if applicable.

Vendor Description:

Summary of the cause and potential effect of the vulnerability provided by the vendor.

SophosLabs Comments:

SophosLabs' opinions and observations of the vulnerability in question.

SophosLabs Testing Result:

Details of completed lab testing, if applicable. Please note that the lab test environment may differ significantly from user environments.

Currently Known Exploits:

List of identities for known exploits, if applicable.

First Sample Seen:

Date of the first sample seen by SophosLabs.

Discovery Date:

Date of the earliest known publically disclosed advisory.

Affected Software:

Vulnerable platforms and software versions.