{"id":7010,"date":"2025-09-09T06:30:06","date_gmt":"2025-09-09T11:30:06","guid":{"rendered":"https:\/\/andreas-wolter.com\/?p=7010"},"modified":"2025-09-09T12:42:34","modified_gmt":"2025-09-09T17:42:34","slug":"2509-sql-auditing-security-bug-classified-data-exfiltration","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/2509-sql-auditing-security-bug-classified-data-exfiltration\/","title":{"rendered":"Bug in Auditing allows for undetected Data Exfiltration by low privileged user"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-m0cxh8ps-fb8ab96d800c803fe85d597c1a145603\">\n#top .av-special-heading.av-m0cxh8ps-fb8ab96d800c803fe85d597c1a145603{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-m0cxh8ps-fb8ab96d800c803fe85d597c1a145603 .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-m0cxh8ps-fb8ab96d800c803fe85d597c1a145603 .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-m0cxh8ps-fb8ab96d800c803fe85d597c1a145603 av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Bug in Auditing allows for undetected Data Exfiltration by low privileged user<\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-m0cxgkjy-c935304b4106b45214698f40e83a9894 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Last week, I was contacted by an IT Leader from Saudi-Arabia who previously found several CVE\u2019s in Oracle and Microsoft SQL Server. He wanted my opinion on a newly discovered security issue in SQL Server Auditing.<\/p>\n<p>Interestingly, his findings directly overlap with a topic I wrote about just last month: <a href=\"How%20to%20Use%20Data%20Classification%20to%20Audit%20specific%20Data%20Access%20in%20Microsoft%20SQL%20Server\">Using Data Classification to Audit Data Access<\/a>.<\/p>\n<p>Emad Al-Mousa identified two vulnerabilities in the SENSITIVE_BATCH_COMPLETED Audit Action Group. Microsoft Security Response Center (MSRC) acknowledged the issue but classified it as <em>low priority<\/em> &#8211; meaning it may not be addressed until a major release, if at all.<\/p>\n<p>That assessment really piqued my curiosity &#8211; I wanted to test it firsthand and see what the real-world consequences might be.<br \/>\nUsing my test setup with a table containing credit card information labeled as <em>Highly Confidential<\/em> and other <em>Financial<\/em> data using SQL Server\u2019s Data Classification technology, I was able to reproduce the bug easily.<\/p>\n<p>And yes\u2014it\u2019s a genuine security gap.<\/p>\n<p>Any user with basic SELECT access to an audited table can bypass the auditing mechanism with trivial ease. Honestly, it\u2019s surprising this slipped past automated testing, which should catch such cases by default.<\/p>\n<p>The repro is as simple as this:<\/p>\n<ul>\n<li>Create an Audit Specification at the database or server level using SENSITIVE_BATCH_COMPLETED_GROUP (as I previously described in How to Use Data Classification to Audit specific Data Access in Microsoft SQL Server ).<\/li>\n<li>With nothing more than db_datareader or SELECT permissions, run:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7013 size-medium alignnone\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509SelectIntoTempTable-300x153.jpg\" alt=\"Select Into new temporary table\" width=\"300\" height=\"153\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509SelectIntoTempTable-300x153.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509SelectIntoTempTable-768x392.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509SelectIntoTempTable-705x359.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509SelectIntoTempTable.jpg 912w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Neither the SELECT INTO operation nor queries against the new table generate audit entries.<\/p>\n<p>This means anyone with table access could <strong>exfiltrate sensitive data without detection<\/strong>. Even worse, the documentation explicitly claims this command is covered by the Audit Action Group.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7015 size-medium\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509DataClassificationAuditing_documentationexcerpt-300x297.jpg\" alt=\"Books Online Data Classification screenshot\" width=\"300\" height=\"297\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509DataClassificationAuditing_documentationexcerpt-300x297.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509DataClassificationAuditing_documentationexcerpt-80x80.jpg 80w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509DataClassificationAuditing_documentationexcerpt-768x760.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509DataClassificationAuditing_documentationexcerpt-36x36.jpg 36w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509DataClassificationAuditing_documentationexcerpt-705x697.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/09\/202509DataClassificationAuditing_documentationexcerpt.jpg 908w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Screenshot from: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-sql\/database\/data-discovery-and-classification-overview?view=azuresql\" target=\"_blank\" rel=\"noopener\">Data Discovery &#038; Classification<\/a><\/p>\n<p>The same loophole applies to the second vulnerability Emad discovered, involving <strong>DBCC CLONEDATABASE<\/strong>.<\/p>\n<h2>What does this mean for you?<\/h2>\n<p>Until Microsoft revises MSRC\u2019s assessment and fixes SENSITIVE_BATCH_COMPLETED_GROUP, you cannot rely on it for auditing sensitive data access.<\/p>\n<p>In the meantime:<\/p>\n<ul>\n<li>Audit ALL SELECT operations (this covers SELECT INTO).<\/li>\n<\/ul>\n<ul>\n<li>Enable auditing for DBCC_GROUP (which I generally recommend as best practice: <a href=\"https:\/\/andreas-wolter.com\/en\/202507_recommended_security_auditing_databases_sql_server\/\">Recommendation for Security Auditing for databases \u2013 with example for Microsoft SQL Server<\/a>).<\/li>\n<\/ul>\n<p>If you want to see this issue prioritized, I encourage you to comment on and re-share this post &#8211; or better yet, add your voice on <a href=\"https:\/\/www.linkedin.com\/posts\/andreaswolter_bug-in-auditing-allows-for-undetected-data-activity-7371200114129940480-9KPI\" target=\"_blank\" rel=\"noopener\">LinkedIn<\/a>.<\/p>\n<p>Thank you for helping spread the word.<\/p>\n<p>I have informed both the Microsoft SQL Server Auditing and Data Classification teams about this publication beforehand, and I have been told that they are going to fix it.<\/p>\n<p>A big thank-you to Emad Al-Mousa for identifying and responsibly disclosing the issue. You can read his full write-up here: <a href=\"https:\/\/databasesecurityninja.wordpress.com\/2025\/09\/02\/sql-server-security-auditing-vulnerability-for-sensitive-batch-completed-policy\/\" target=\"_blank\" rel=\"noopener\">SQL Server Security Auditing Vulnerability For SENSITIVE BATCH COMPLETED Policy<\/a><br \/>\nAnd thank you to my ex-colleague Rohit Nayak for helping review this post.<\/p>\n<p>Andreas<\/p>\n<\/div><\/section>\r\n\r\n<div  class='hr av-baku8u-c77559299fb7cb036a9bcb2d27e7c839 hr-default  avia-builder-el-2  el_after_av_textblock  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-5n5vpa-78ffdd9d224b4a246af65bdc00dce900 av-social-sharing-box-default  avia-builder-el-3  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share article<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/2509-sql-auditing-security-bug-classified-data-exfiltration\/&#038;t=Bug%20in%20Auditing%20allows%20for%20undetected%20Data%20Exfiltration%20by%20low%20privileged%20user\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Bug%20in%20Auditing%20allows%20for%20undetected%20Data%20Exfiltration%20by%20low%20privileged%20user&#038;url=https:\/\/andreas-wolter.com\/en\/?p=7010\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Bug%20in%20Auditing%20allows%20for%20undetected%20Data%20Exfiltration%20by%20low%20privileged%20user&#038;url=https:\/\/andreas-wolter.com\/en\/2509-sql-auditing-security-bug-classified-data-exfiltration\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-4ofg9q-c2108540b480aba02923089240a3a176\">\n#top .hr.hr-invisible.av-4ofg9q-c2108540b480aba02923089240a3a176{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-4ofg9q-c2108540b480aba02923089240a3a176 hr-invisible  avia-builder-el-4  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-284ftq-f5a1564cd6b8ffad6ce835e2d40de4b7  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":7011,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[380,27],"class_list":["post-7010","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","tag-auditing","tag-security-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/7010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=7010"}],"version-history":[{"count":4,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/7010\/revisions"}],"predecessor-version":[{"id":7096,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/7010\/revisions\/7096"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/7011"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=7010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=7010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=7010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}