Microsoft Database Engine Vulnerabilities PatchedExploits Could Enable Remote Attacks on MS IIS and SQL
Researchers at Palo Alto Networks' Unit 42 say they have demonstrated how exploits of Microsoft Jet Database Engine vulnerabilities could lead to remote attacks on Microsoft Internet Information Services and Microsoft SQL Server to gain system privileges. Microsoft says it recently patched the flaws.
Palo Alto Networks did not report on whether any exploits using the vulnerabilities were found in the wild, however Tao Yan, security researcher with the Palo Alto Networks' Unit 42 team tells Information Security Group that its researchers reported around 100 Jet vulnerabilities to Microsoft in 2020, though Microsoft only fixed a small number of them.
"It seems that Microsoft's strategy is to mitigate the whole attack surface instead of fixing each individual vulnerability, one by one," Yan says.
IIS is a general-purpose web server that runs on Windows, while SQL Server is a relational database management system.
Palo Alto Networks described the exploits in a presentation at the recent Black Hat Asia 2021 event.
The exploits take advantage of remote database access supported in Microsoft Jet Database Engine, including Jet Red Database Engine and Access Connectivity Engine, the researchers say.
"When misused, the feature allows attackers to execute SQL queries on the fully controlled database file on the remote attacker’s controlled server," the researchers explain. "Once the remote legitimate database file is replaced with a malformed database file, executing SQL queries on it could break the code precondition and assumptions in Microsoft Jet/ACE, leading to vulnerabilities in many Jet components.
"The typical attack scenarios are SQL injection and ad hoc. In these two scenarios, attackers can execute any SQL queries on the malformed databases in the IIS and SQL server. The resulting Jet vulnerabilities will impact the IIS and SQL server."
Remote database access allows attackers to replace a legitimate database with a malformed one, the researchers say.
During code development and testing in MS Jet and ACE, developers might not consider the possibility of the database being malformed, so the researchers decided to explore the idea of mutating both SQL queries and database files. It was using that fuzzing strategy that enabled the researchers to discovered the 100 vulnerabilities in MS Jet and ACE.
Most of the vulnerabilities could be used to attack IIS and SQL Server under SQL injection and ad hoc scenarios, the researchers say.
Palo Alto Networks says, "any components supporting MS Jet and ACE on Windows could be vulnerable, as long as the component allows users to execute any query on the controllable database with MS Jet and ACE."
Microsoft has assigned the flaws the designation CVE-2021-28455 and released a patch.
The patch introduces an option to disable remote database access in the MS Jet component and ACE component.
By default, no changes are made to accessing the Jet Red Database Engine or the ACE by installing these updates, a Microsoft spokesperson tells Information Security Media Group. Plus, Microsoft has provided more information on blocking access to remote databases.
Microsoft recommends customers with any app compatibility issues consider additional security measures.
Palo Alto Networks: Patch Imperfect
Although the patch mitigates the risks, it is not turned on by default - and most Jet vulnerabilities are still not patched, Palo Alto Networks says.
"The mitigation for the attack surface in ACE still remains imperfect, and we are working with Microsoft to release a complete patch for both MS Jet and ACE," Yan told ISMG.
The Microsoft Jet Database Engine, including MS Jet and ACE, is over 20 years old, and a vast majority of the Jet modules have been found to be easily exploitable due to limited exploit mitigations, the researchers note.
"The remote database access feature connects the Jet vulnerabilities with IIS and SQL server components, thereby downgrading their security to the same level as the Jet Database Engine," they add.