SQL Server, TDS, and Everything Is A Vulnerability To Security

Security must be making the rounds again as I’ve recently had quite a few inquiries about a “vulnerability” in SQL Server connections. I am in the camp of, if it isn’t easy to exploit or is completely theoretical and the exploit is barely an inconvenience such as, “could allow a local admin user to rearrange the startup order”, I don’t get very excited. Enter in the old-fad-turned-new “vulnerability” of version information. Yes, you didn’t misread that. Version. Information. At the very worst it’s potentially information disclosure and even that is a stretch.

What does this “vulnerability” look like? Well if you guessed, “It looks like part of the TDS specifications” then you’d be a winner – the prize is a hardy pat on the back done by yourself (feel free to donate to the prize budget). If your reaction to this was also “WTF?”, you get a second pat on the back. Here it is, here’s the vulnerability:  “16.0.1000”. That’s the version of SQL Server that the TDS client connected to as part of the pre-login data exchange. Oh no, what shall we ever do?

This is a non-issue for almost everyone. Sure, there are some places that will classify this as some sort of vulnerability (some automated scanning software does this) but I just don’t see it. You have the version, okay. Now what? You try exploits for that version? You could spray those anyway… it’s the whole “don’t use standard ports because SeKuRiTaH” argument.

Let’s say this is just such a _huge_ deal that it just absolutely can’t happen, just the worst thing in the world, stop the presses, halt the trains. Now what? It’s part of the TDS specification – maybe lobby Microsoft to change it. You could go the whole TDS 8 route (and upgrade to SQL 2022) which doesn’t get rid of the version being returned but now TDS exchanges happen after TLS which will enhance your security a bit, but it doesn’t really solve the problem. You could go with some sort of TDS firewall in between to put dummy data or strip out the data, but that seems like overhandling for really no reason. I don’t even see it as a problem that needs a solution so I don’t see why anything really needs to be done :shrug:.