Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023

redbulljager 2023-09-29 19:33:22 UTC #1

Hopefully I am not adding to the pile of topics regarding Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023. I have seen a couple topics on this but didn’t see much information in them regarding it. I did see Jason Walker posted in one of them “I’m afraid the news is not great. Traditionally our Patch team has not handled ODBC/OLEDB hotfixes, and I don’t anticipate publishing these any time soon”. So, I was wondering if anyone else that is having the same issue regarding the vulnerability and was wondering if anyone has tried to create a custom fixlet to deploy the fix.

redbulljager 2023-10-16 21:19:28 UTC #2

Seems like the SQL CU 22 corrects the issue on the DB servers but not app or web servers. I just wanted to put a reply out there to see if anyone else is running into this issue with ODBC drivers and if anyone has seen a fixlet for this or have created one to help remediate the issue.

pcpeteusa 2023-10-17 14:12:39 UTC #3

Our group ran into the same issue. We had to manually download the OLE driver and apply it to our webui server

BearPaw 2023-10-23 19:31:48 UTC #4

Here is what we came up with for relevance:

Note: ODBC driver v17.10.4.1 remediates CVE-2023-29356
ODBC driver v17.10.5.1 is the current version as of this post

Relevance to return Boolean result which determines who needs to be updated:
TRUE = Needs Updated to remediate CVE-2023-29356
FALSE = Is currently ODBC driver v17.10.4.1 or v17.10.5.1

q: if (exists keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) then (exists values “Version” whose (it != “17.10.4.1”) of keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) AND (exists values “Version” whose (it != “17.10.5.1”) of keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) else FALSE
A: True
T: 0.359 ms

Relevance to return concatenated x64; x32 ODBC versions:

q: concatenation "; " of (if (exists keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) then (values “Version” of keys “HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion” of (x64 registries; x32 registries)) as string else “No Key”)
A: 17.10.1.1; 17.10.1.1
T: 0.210 ms

pcpeteusa 2023-10-24 12:21:52 UTC #5

There is yet a newer driver this month and again neither BigFix nor SCCM detect this