This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 43%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Here's the SQL for this vulnerability. My application database has neither 'certificates' or 'asymmetric keys' - but every Stored Procedure in this database is flagged.
The issue is the second IIF statement. As both the certificate & asymmetric key lookups are left JOINS
and I have no data - the query is defaulting to 'Asymmetic Key' - which I don't have.
Could someone correct the vulnerability according. Thanks.
AJ
SELECT
QUOTENAME(sc.name) + '.' + QUOTENAME(oj.name) AS [Module]
,IIF(ct.certificate_id IS NOT NULL, ct.name, ak.name) AS [Signing Object]
,dp.name AS [Signing Object Owner]
,cp.thumbprint AS [Signing Object Thumbprint]
,oj.modify_date AS [Last Definition Modify Date]
,IIF(ct.certificate_id IS NOT NULL, 'CERTIFICATE', 'ASYMMETRIC KEY') AS [Signing Object Type]
-- For debbuging, uncomment following lines:
-- ,IIF(ct.principal_id IS NOT NULL, SUSER_NAME(ct.principal_id), SUSER_NAME(ak.principal_id)) AS [Owner_Name]
-- ,oj.type_desc
-- ,crypt_type
-- ,md.DEFINITION
-- ,IIF(ct.subject IS NOT NULL, ct.subject, 'N/A') AS [Certificate Subject]
FROM
sys.objects AS oj
INNER JOIN sys.schemas AS sc ON oj.schema_id = sc.schema_id
LEFT OUTER JOIN sys.crypt_properties AS cp ON cp.major_id = oj.object_id
LEFT OUTER JOIN sys.sql_modules AS md ON md.object_id = oj.object_id
LEFT OUTER JOIN sys.certificates AS ct ON cp.thumbprint = ct.thumbprint
LEFT OUTER JOIN sys.asymmetric_keys AS ak ON cp.thumbprint = ak.thumbprint
LEFT OUTER JOIN sys.database_principals AS dp ON (ct.sid = dp.sid OR ak.sid = dp.sid)
WHERE oj.type IN ('P', 'FN', 'TR')
AND NOT (
sc.name = 'dbo'
AND oj.name = 'sp_MSrepl_startup'
AND master.dbo.fn_varbintohexstr(HASHBYTES('SHA2_256', DEFINITION)) = '0x78c0596dc09e6f4a26ba44c8572163e4b1f34382349d88b1cc1d1d8361cf0647'
)
AND NOT (
sc.name = 'dbo'
AND oj.name = 'sp_MScleanupmergepublisher'
AND master.dbo.fn_varbintohexstr(HASHBYTES('SHA2_256', DEFINITION)) = '0x173add6847de4a92d3b82abac61f93deadf8d6465d312dba1b403ae1ad6abcfc'
)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 97%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hi @Jarman, Andrew , welcome to Microsoft Q&A forum.
We have reached out to internal team on this and will get back as soon as we receive the response.
@Jarman, Andrew Could you please share the result of this query statement.
Regards,
Oury
Hi Oury,
Not really sure what your requesting... Here's the resultset from one of our application databases. In my opinion the above SQL should return an empty resultset....
AJ
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 99%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVN%3C/text%3E%3C/svg%3E)
Hi, our security team also flagging this issue.
May I know the solution for this?
There currently is no solution from Microsoft on this issue. I'm hopeful that they will respond here with a solution soon.
AJ
@Jarman, Andrew Sorry for the delay in my response.
Could you please open a support request so we can further investigate?
Regards,
Oury
Hi,
It seems that this was fixed in latest versions.
I got the same query and interrogation as you, running SQL Server 2016 SP3.
On SQL Server 2019 though, the query has different source table and no more false results:
SELECT
QUOTENAME(sc.name) + '.' + QUOTENAME(oj.name) AS [Module]
,IIF(ct.certificate_id IS NOT NULL, ct.name, ak.name) AS [Signing Object]
,dp.name AS [Signing Object Owner]
,cp.thumbprint AS [Signing Object Thumbprint]
,oj.modify_date AS [Last Definition Modify Date]
,IIF(ct.certificate_id IS NOT NULL, 'CERTIFICATE', 'ASYMMETRIC KEY') AS [Signing Object Type]
-- For debbuging, uncomment following lines:
-- ,IIF(ct.principal_id IS NOT NULL, SUSER_NAME(ct.principal_id), SUSER_NAME(ak.principal_id)) AS [Owner_Name]
-- ,oj.type_desc
-- ,crypt_type
-- ,md.DEFINITION
-- ,IIF(ct.subject IS NOT NULL, ct.subject, 'N/A') AS [Certificate Subject]
-- ,IIF(ct.certificate_id IS NOT NULL, IS_OBJECTSIGNED('OBJECT', oj.object_id, 'certificate', cp.thumbprint), IS_OBJECTSIGNED('OBJECT', oj.object_id, 'asymmetric key', cp.thumbprint)) AS [Is Object Signed]
FROM
sys.crypt_properties AS cp
INNER JOIN sys.objects AS oj ON cp.major_id = oj.object_id
INNER JOIN sys.schemas AS sc ON oj.schema_id = sc.schema_id
INNER JOIN sys.sql_modules AS md ON md.object_id = cp.major_id
LEFT OUTER JOIN sys.certificates AS ct ON cp.thumbprint = ct.thumbprint
LEFT OUTER JOIN sys.asymmetric_keys AS ak ON cp.thumbprint = ak.thumbprint
LEFT OUTER JOIN sys.database_principals AS dp ON (ct.sid = dp.sid OR ak.sid = dp.sid)
WHERE
oj.type IN ('P','FN','TR')
AND cp.class_desc = 'OBJECT_OR_COLUMN'
a+,=)
-=Clement=-