CVE-2022-35836 – Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability (13th Sep 2022)

Preface: Failures happen all the time, it’s important to see how to deal with them.

Background: Background: The new OLE DB provider is called the Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL). The Microsoft OLE DB Provider for SQL Server (SQLOLEDB) still ships as part of Windows Data Access Components. It isn’t maintained anymore and it isn’t recommended to use this driver for new development. When developing an application that uses the OLE DB Driver for SQL Server library, developer is able to use ADO with OLE DB Driver for SQL Server.

Vulnerability details: Certain versions of Windows from Microsoft contain the following vulnerability:
Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, & CVE-2022-35840.

My observation: Because Microsoft did not disclose the reason. I guess that one of the possibility will be triggered by ADO with OLE DB Driver for SQL Server. My speculation is shown on diagram. Let’s recall CVE-2019-0888.

A remote code execution vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with the victim user’s privileges. An attacker could craft a website that exploits the vulnerability and then convince a victim user to visit the website. The security update addresses the vulnerability by modifying how ActiveX Data Objects handle objects in memory.

Even if my speculation not a correct story, long story short. We should do a patch.

Official announcement – Please refer to the link for details – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35836

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.