CVE-2017-9246 in .NET Agent
Summary
by MITRE
New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/17/2019
The vulnerability identified as CVE-2017-9246 represents a critical SQL injection flaw within the New Relic .NET Agent version 6.3.123.0 and earlier. This security weakness specifically targets applications that are otherwise considered secure, demonstrating how monitoring tools can inadvertently introduce dangerous vulnerabilities into otherwise protected systems. The flaw manifests when the New Relic agent processes slow query data through its Slow Queries feature, creating a scenario where malicious input can be executed within database contexts. The vulnerability exploits a failure in proper input sanitization mechanisms, particularly focusing on quote escaping during query processing.
The technical implementation of this vulnerability occurs through the agent's handling of SQL statements within the Slow Queries feature, where it fails to properly escape single quotes and other special characters in database queries. This oversight becomes particularly dangerous when processing INSERT statements containing VALUES clauses, as the agent's inadequate sanitization allows attackers to inject malicious SQL code that bypasses standard database protection mechanisms. The vulnerability specifically targets the SET SHOWPLAN_ALL ON protection mechanism, which is designed to prevent certain types of query analysis attacks, but the New Relic agent's implementation fails to properly account for this protection layer.
The operational impact of this vulnerability extends beyond simple data compromise, as it allows attackers to execute arbitrary SQL commands on affected database systems. When an application uses the New Relic .NET Agent for monitoring and the Slow Queries feature is enabled, malicious actors can manipulate database inputs to gain unauthorized access to sensitive data, modify database structures, or even escalate privileges within the database environment. The vulnerability is particularly concerning because it affects applications that are already considered secure, meaning that organizations may not expect such vulnerabilities to exist within their monitoring infrastructure, creating a false sense of security that can lead to extended exploitation periods.
The exploitation of this vulnerability requires minimal prerequisites and can be accomplished through carefully crafted database queries that leverage the agent's insufficient input validation. Attackers need only to generate database activity that triggers the Slow Queries feature while including malicious SQL code within the query parameters, allowing the agent to process and execute the injected commands. This vulnerability aligns with CWE-89, which describes SQL injection flaws, and can be mapped to ATT&CK technique T1071.004 for application layer protocol manipulation. Organizations should implement immediate mitigation strategies including updating to New Relic .NET Agent version 6.3.123.0 or later, disabling the Slow Queries feature if not required, and implementing additional database query monitoring to detect anomalous SQL patterns. The vulnerability also underscores the importance of comprehensive security testing for monitoring tools and highlights how third-party components can introduce unexpected security risks into enterprise environments.