On March 12, 2024, Microsoft published an important security update for SQL Server, addressing a serious vulnerability tracked as CVE-2024-26186. This flaw affects the Native Scoring feature of Microsoft SQL Server, potentially allowing attackers to run arbitrary code on the underlying system under certain conditions. In this post, we'll break down what CVE-2024-26186 is, how an attacker might exploit it, show code snippets that demonstrate the vulnerability, and share best practices to keep your systems safe.
What is Native Scoring in SQL Server?
Native Scoring is a feature introduced in SQL Server 2017 that lets users run pre-trained machine learning models directly inside SQL Server using the PREDICT function. This is useful for data scientists and developers who want fast predictions without moving data out of SQL Server. However, because it loads and evaluates external model files, it can introduce risks if not used carefully.
What is CVE-2024-26186?
The vulnerability allows anyone with the ability to execute T-SQL queries (and the right permissions) to run arbitrary code on the SQL Server host. This happens because untrusted or malicious ONNX model files processed by the PREDICT function can trigger unsafe behavior, leading to code execution with the permissions of the SQL Server service account.
Affected Versions: SQL Server 2019, 2022 (earlier may be impacted if Native Scoring installed)
- Patch Released: March 2024 Security Updates
- Microsoft Advisory: MSRC CVE-2024-26186
Example Attack Flow
Imagine a SQL Server user, bob, has permissions to use Native Scoring features. Bob uploads a seemingly harmless ONNX model file, but it contains malicious payload constructed to exploit this vulnerability. When Bob runs a query like below, the payload executes:
SELECT PREDICT(MODEL = @MaliciousModel,
DATA = dbo.InputData);
If the ONNX parser doesn't validate the file strictly, the attacker’s code executes with SQL Server privileges.
Proof-Of-Concept Code
> ⚠️ Disclaimer: The following is for educational purposes only. Never attempt exploitation on systems you do not own or have written approval to test.
Suppose you prepare a malicious ONNX file (evil_model.onnx). Assuming you have write access to C:\Models\ on your SQL Server, you run:
DECLARE @Model VARBINARY(MAX);
-- Load malicious model (this can be done outside SQL, or as a file on disk)
SELECT @Model = BulkColumn FROM OPENROWSET(BULK 'C:\Models\evil_model.onnx', SINGLE_BLOB) AS Model;
-- Attempt to exploit vulnerability
SELECT
PREDICT(MODEL = @Model,
DATA = dbo.InputData);
The malicious evil_model.onnx could contain a payload built to exploit how the server parses the file and trigger unsafe behavior (buffer overflow, DLL loading, etc).
*In known proof-of-concept exploits, attackers have crafted ONNX files to exploit improper buffer boundary checks, leading to code execution on Windows.*
Patch & Mitigations
Microsoft’s March 2024 patches include stricter validation of ONNX files and improves model loading routines. Update *all affected servers immediately*. Relevant links:
- Microsoft Security Update Guide: CVE-2024-26186
- SQL Server 2019: Security Update
- SQL Server 2022: Security Update
Other Best Practices
- Enforce Least Privilege: Only trusted users should have execute permissions on PREDICT and access to model files.
- Model Validation: Strictly control what ONNX files can be loaded and store models in secure folders.
Conclusion
CVE-2024-26186 exposes Microsoft SQL Server to dangerous remote code execution risk through model scoring features that process untrusted ONNX files. While powerful, this feature should be locked down and used with care. Patch your servers as soon as possible and audit your permissions and usage of Native Scoring.
References
- CVE-2024-26186 @ MSRC
- SQL Server Security Updates: March 2024
- ONNX model format documentation
Stay safe and keep your systems patched! If you have any questions or notes about this vulnerability, drop them in the comments below.
Timeline
Published on: 09/10/2024 17:15:16 UTC
Last modified on: 10/09/2024 01:26:05 UTC