#VU49489 Input validation error in Microsoft SQL Server - CVE-2021-1636

Cybersecurity Help s.r.o.

Published: 2021-01-12 | Updated: 2021-01-12

Vulnerability identifier: #VU49489

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-1636

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft SQL Server
Server applications / Database software

Vendor: Microsoft

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input, when the affected SQL Server is configured to run an Extended Event session. A remote user can send specially crafted data to the server and execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: 2012 11.0.2100.60, 2014 12.0.2000.8, 2016 13.0.1601.5, 2017 14.0.1000.169, 2019 15.0.2000.5

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1636

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Privilege escalation in Microsoft SQL Server