Microsoft has issued a security advisory for a vulnerability in certain versions of SQL Server and other SQL products.

The vulnerability, complete with proof-of-concept exploit code, had been disclosed publicly by SEC Consult on Dec. 9. The disclosure says that Microsoft had been notified of it in April, had acknowledged it, but had stopped responding to SEC Consult requests for status.

The vulnerability is in a stored procedure named sp_replwritetovarbin. It is possible to cause this stored procedure to invoke a heap buffer overflow in the server and write to a controlled location. You need to be an authenticated user, local or remote, to invoke it, but you can get around that requirement through SQL injection or by compromising a vulnerable Web application. We don't know of any actual exploits yet using this vulnerability.

The vulnerability affects some Microsoft SQL products, but not others, and some more seriously than others. All supported versions of SQL Server 2000 appear to be vulnerable. SQL Server 2005 SP2 is vulnerable, but not SP3. SQL Server 2008 and SQL Server 7.0 SP4, the only supported version but a very old one, are not vulnerable. It's an odd combination.

Perhaps the most common versions that are technically vulnerable, SQL Server Desktop Engine 2000 (MSDE 2000) and SQL Server 2005 Express, do not allow remote connections by default. This means that an attacker would have to have local access to the system in order to attack it; I think such systems aren't as likely as servers to be vulnerable to SQL injection or other hacks associated with Internet-facing servers. It's a problem on these systems, but not as serious as on others.

A Microsoft Security Vulnerability Research & Defense blog entry gives some more analysis on the vulnerability, especially with regard to the implications of a compromise through this flaw. The privileges of the attacker would vary depending on the server version and how the system was configured during installation, but even in the more benign cases, it's possible to use other attacks to escalate privilege once in.

The Microsoft advisory and other public Microsoft statements give the usual line about how "... Microsoft will take the appropriate action to help protect our customers" and that this may include a patch. Note that the SEC Consult advisory states that Microsoft told them in September that a fix had been completed, but they said nothing about plans for its distribution.

Microsoft also issued a workaround as part of the advisory, to use permissions to deny access to sp_replwritetovarbin. Denying access to it shouldn't affect most systems. Microsoft describes the procedure this way:

It [sp_replwritetovarbin] is called as a trigger for user modifications during transactional replication with updatable subscriptions. So if your SQL installation does not include replication, the workaround will have no effect other than to protect you from this vulnerability. The workaround will also have no impact on your database installation if you use transaction replication with read-only subscriptions, bi-directional, or peer-to-peer settings. It is only transactional replication with updatable subscriptions that is impacted.

It would seem that Microsoft doesn't think too much of this vulnerability. How serious is it? That depends on how many servers, especially Internet-facing servers, are running vulnerable versions of the products. The mix of vulnerable/not-vulnerable products and mitigations baffles me, but I don't understand the company's hesitance to issue a patch, especially one that has been available for three months.