Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023

redbulljager · September 29, 2023, 7:33pm

Hopefully I am not adding to the pile of topics regarding Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023. I have seen a couple topics on this but didn’t see much information in them regarding it. I did see Jason Walker posted in one of them “I’m afraid the news is not great. Traditionally our Patch team has not handled ODBC/OLEDB hotfixes, and I don’t anticipate publishing these any time soon”. So, I was wondering if anyone else that is having the same issue regarding the vulnerability and was wondering if anyone has tried to create a custom fixlet to deploy the fix.

redbulljager · October 16, 2023, 9:19pm

Seems like the SQL CU 22 corrects the issue on the DB servers but not app or web servers. I just wanted to put a reply out there to see if anyone else is running into this issue with ODBC drivers and if anyone has seen a fixlet for this or have created one to help remediate the issue.

pcpeteusa · October 17, 2023, 2:12pm

Our group ran into the same issue. We had to manually download the OLE driver and apply it to our webui server

BearPaw · October 23, 2023, 7:31pm

Here is what we came up with for relevance:

Note: ODBC driver v17.10.4.1 remediates CVE-2023-29356
ODBC driver v17.10.5.1 is the current version as of this post

Relevance to return Boolean result which determines who needs to be updated:
TRUE = Needs Updated to remediate CVE-2023-29356
FALSE = Is currently ODBC driver v17.10.4.1 or v17.10.5.1

q: if (exists keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) then (exists values “Version” whose (it != “17.10.4.1”) of keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) AND (exists values “Version” whose (it != “17.10.5.1”) of keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) else FALSE
A: True
T: 0.359 ms

Relevance to return concatenated x64; x32 ODBC versions:

q: concatenation "; " of (if (exists keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) then (values “Version” of keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) as string else “No Key”)
A: 17.10.1.1; 17.10.1.1
T: 0.210 ms

pcpeteusa · October 24, 2023, 12:21pm

There is yet a newer driver this month and again neither BigFix nor SCCM detect this