KB4036996: Security Update for SQL Server (August 2017) (uncredentialed check)

high Nessus Plugin ID 122485

Synopsis

The remote SQL server is affected by an information disclosure vulnerability.

Description

The remote Microsoft SQL Server is missing a security update. It is, therefore, affected by an information disclosure vulnerability in Microsoft SQL Server Analysis Services when it improperly enforces permissions. An attacker could exploit the vulnerability if the attacker's credentials allow access to an affected SQL server database. An attacker who successfully exploited the vulnerability could gain additional database and file information.

Solution

Microsoft has released a set of patches for SQL Server 2012, 2014, and 2016.

See Also

https://support.microsoft.com/en-us/help/4036996

https://support.microsoft.com/en-us/help/4032542

https://support.microsoft.com/en-us/help/4019095

https://support.microsoft.com/en-us/help/4019093

https://support.microsoft.com/en-us/help/4019092

https://support.microsoft.com/en-us/help/4019091

https://support.microsoft.com/en-us/help/4019090

https://support.microsoft.com/en-us/help/4019089

https://support.microsoft.com/en-us/help/4019088

https://support.microsoft.com/en-us/help/4019086

Plugin Details

Severity: High

ID: 122485

File Name: smb_nt_ms17_aug_mssql_remote.nasl

Version: 1.3

Type: remote

Agent: windows

Family: Windows

Published: 2/28/2019

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2017-8516

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:sql_server

Required KB Items: Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 8/8/2017

Vulnerability Publication Date: 8/8/2017

Reference Information

CVE: CVE-2017-8516

BID: 100041

MSFT: MS17-4019086, MS17-4019088, MS17-4019089, MS17-4019090, MS17-4019091, MS17-4019092, MS17-4019093, MS17-4019095, MS17-4032542, MS17-4036996

MSKB: 4019086, 4019088, 4019089, 4019090, 4019091, 4019092, 4019093, 4019095, 4032542, 4036996