We have a host running MS SQL Server on which Greenbone is reporting this issue:
“Microsoft SQL Server Multiple Vulnerabilities (Jun 2023) - Remote Version Check” [OID: 1.3.6.1.4.1.25623.1.0.149815]
The version being detected by Greenbone is:
Installed version: 15.0.4316.0
This is also corroborated by the nmap “ms-sql-info” script (see screenshot)
However checking locally, the version is 15.0.4316.3 (see screenshot)
It appears that Greenbone and nmap can’t correctly identify the minor version (at least in this case).
If one of the version detection methods here is “Microsoft’s SQL UDP Info Query” [OID: 1.3.6.1.4.1.25623.1.0.10674] - which has a “CAVEAT” in the description saying that this detection method is inaccurate for anything newer than 8.00.194 (which is extremely old) - should this version check perhaps be categorised along with the lower (30%) QoD checks instead?
I’d appreciate any feedback or insight that anyone could provide here.
Hi Mick,
the mentioned Vulnerability Test (VT) gets the checked version from the response of the server on the specific port. The VT has a note inside:
Note: Please create an override for this result if the ODBC Driver and OLE DB Driver have been
updated separately.
Could this be the case here?
I will talk to the VT author, and we will get back to you then.
Thanks for the response. I’m not sure about whether those drivers are updated independently or not.
Possibly also relevant - I noticed on the official MS resource for SQL Server 2019 that the version 15.0.4316.0 does not appear anywhere (although 15.0.4316.3 does appear on the CU21 row). Also, there is no occurrence of any 15.0.4316.x prior to this. So maybe it’s sufficient to only check the version up until (and not including) the last revision number.
