Remote buffer overflow in Microsoft SQL Server

Published: 2018-08-14 22:23:43
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-8273
CVSSv3 7.1 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software Microsoft SQL Server
Vulnerable software versions Microsoft SQL Server 2016
Microsoft SQL Server 2017
Vendor URL Microsoft

Security Advisory

1) Buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing SQL queries. A remote attacker with ability to manipulate SQL query can trigger buffer overflow and execute arbitrary code on the vulnerable database server in the context of the SQL Server Database Engine service account. 

Please, note this vulnerability can be also exploited by anonymous attacker via SQL injection vulnerability.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273

Back to List