Multiple vulnerabilities in Microsoft SQL Server

Description

Multiple serious vulnerabilities have been found in Microsoft SQL Server. Malicious users can exploit these vulnerabilities to gain privileges or obtain sensitive information.

Below is a complete list of vulnerabilities

1. An improper pointer casting handling can be exploited by remotely authenticated attackers to gain privileges;
2. An improper request parameters validation at MDS can be exploited remotely via XSS attack to gain privileges;
3. Lack of parameters restrictions at Microsoft SQL Analysis Service can be exploited by remotely authenticated attacker to obtain sensitive information;
4. An improper ACL check at Microsoft SQL Server Agent can be exploited by remotely authenticated attackers to gain privileges.

Original advisories

• MS16-136

• CVE-2016-7254
• CVE-2016-7253
• CVE-2016-7252
• CVE-2016-7251
• CVE-2016-7250
• CVE-2016-7249

Related products

• Microsoft-SQL-Server

CVE list

• CVE-2016-7254
  high
• CVE-2016-7253
  high
• CVE-2016-7252
  warning
• CVE-2016-7251
  warning
• CVE-2016-7250
  high
• CVE-2016-7249
  high

KB list

• 3194718
• 3194724
• 3194725
• 3194720
• 3194722
• 3194714
• 3194719
• 3194717
• 3194716
• 3194721

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com