SAN FRANCISCO -- A new report from security guru David Litchfield shows that thousands of Microsoft SQL Server and Oracle database servers can be accessed on the Internet, lack critical updates and are vulnerable to attack.
Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd., examined the number of Microsoft SQL Server and Oracle database servers that are on the Internet and not protected by a firewall. The report, called "The Database Exposure Survey 2007," found that about 368,000 Microsoft SQL Servers and 124,000 Oracle database servers were directly accessible on the Internet and not protected by a firewall. The survey was last conducted in 2005.
"In the author's opinion, these findings represent a significant risk," Litchfield said. "Whilst it's not possible to say how many of these systems are engaged in a commercial function, with just under half a million servers accessible there is clearly potential for external hackers and criminals to gain access to these systems and to sensitive information."
Litchfield said 66% of Oracle database servers found were running versions known to be vulnerable to critical vulnerabilities. He said 82% of SQL Servers were running SQL Server 2000 and only 46% were running Service Pack 4, the remainder running Service Pack 3a or less. DBAs are also failing to deploy hotfixes and instead are waiting for service packs for SQL Server, he said.
"It may be the case that many database administrators don't even know that their systems are accessible over the Internet," Litchfield said.
In addition, the number of SQL Server databases at risk has increased significantly since the survey was last conducted in 2005, Litchfield said. There were around 210,000 unprotected SQL Servers in 2005 and today the survey found about 368,000 at risk.
Database administrators attending Oracle OpenWorld 2007 weren't surprised by the results of the survey. Many times DBAs implement a test server and don't even realize it's available online and vulnerable to attack, said Tim Spoddard, a DBA with a Midwestern retailer.
"It's a good reminder to take a look at your systems," Spoddard said. "In this day and age you want to close off the attack vectors to avoid a breach."
Andy Lehman, a DBA based in San Jose, Calif., said most database servers accessible on the Internet likely don't contain sensitive information. Still, they should be locked down and separated from critical systems, he said.
"If they're not updated and have critical flaws, they probably don't contain anything worth stealing," he said. "It still provides a jumping off point for an attacker."
Litchfield said database servers should be tested to make sure they can't be accessed from the Internet. Also, any external access to database servers should be controlled by a firewall to only allow connections from set IP addresses or address ranges, he said.