Microsoft SQL Server End Of Life not detected

panajo1017 · July 1, 2022, 6:12am

Hi, I’m scanning a Microsoft SQL Server 2014 12.00.5000.00 SP2, according to this page: https://docs.microsoft.com/en-us/lifecycle/products/sql-server-2014, the version is end of life from Jan 14, 2020, but this is not reported (OpenVAS was able to detect the version).

panajo1017 · July 1, 2022, 6:39am

OpenVAS also not detected vulns for this version.

The MS SQL detection report was:

Detected Microsoft SQL Server 2014 SP2

Version: 12.0.5000.0
Location: 1433/tcp
CPE: cpe:/a:microsoft:sql_server_2014:sp2:12.0.5000.0

This is the code from gb_ms_kb4019093_remote.nasl:

CPE = "cpe:/a:microsoft:sql_server_2014:sp2";

include("version_func.inc");
include("host_details.inc");

if(!port = get_app_port(cpe:CPE))
  exit(0);

if(!vers = get_app_version(cpe:CPE, port:port))
  exit(0);

if(version_in_range(version:vers, test_version:"12.0.5000.0", test_version2:"12.0.5206.0")) {
  report = report_fixed_ver(installed_version:vers, vulnerable_range:"12.0.5000.0 - 12.0.5206.0");
  security_message(port:port, data:report);
  exit(0);
}

The get_app_version() function call above returns vers = sp212.0.5223.0, which is the wrong format to compare.

panajo1017 · July 19, 2022, 10:07am

Hi everyone, any update about this?

Lukas · July 20, 2022, 9:12am

Hi,

Just a short site node, do you use the Greenbone Enterprise Feed ?

If so please open a support ticket, if not that Enterprise Products seems no longer be supported on the GCF.

panajo1017 · July 20, 2022, 10:01am

No. I’m using Community Feed, the plugins I mentioned above are included in the feed.

I’m just reporting the problem. I think that whether it is Enterprise Products or not, the error exists and still needs to be fixed.

ckuerste · July 21, 2022, 3:31am

Hi,

Thanks for the report. The version compared needs indeed an adjustment for ServicePacks. I’ve raised an internal ticket to address this.

EoL detection will now and then be updated with a low priority. Nonetheless we will have a look at it as well.

Note: As mentioned by Lukas more recent checks for MS SQL Server are only available in the Greenbone Enterprise Feed. However we will of course update existing VTs already in the Community Feed. So thanks for reaching out to us!

ckuerste · August 4, 2022, 1:39am

A short follow up. The MS SQL VTs got a rework and the EoL checks got updated now. This will arrive in one of the next feed updates. Please let us know if there are any additional problems.