Updated to include comments from Microsoft.
Microsoft SQL Server administrators are being warned today about an unpatched vulnerability in the popular database software that exposes user passwords in the clear, as well as credentials delivered by applications trying to access the database server.
Researchers at San Mateo, Calif.-based Sentrigo Inc., announced the flaw this morning, and also revealed that Microsoft said it has no plans to release a patch for the vulnerability. Sentrigo, meanwhile, said it has developed a free utility that will erase these passwords from memory. The utility is available for download.
Microsoft said it investigated Sentrigo's claims and determined this was not a vulnerabilitiy requiring a security update.
"As mentioned by the security researchers, in the scenario in question, an attacker would need administrative rights on the target system. An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in a statement. "Microsoft recommends that enterprise customers review and implement security measures as discussed in our security guidance and that all users follow our general guidelines to protect their PC. "
The vulnerability enables administrators to see unencrypted credentials in SQL Server process memory using tools that are readily available to database administrators. Administrator privileges are required to dump system memory, and in most organizations more than one individual has admin privileges. Applications also often run with administrator permissions and if those apps are vulnerable to SQL injections, those attacks could expose passwords.
Sentrigo said in a release today that the vulnerability exists in SQL Server 2000, 2005 and 2008 running on Windows. Changes made to SQL Server 2008 make it difficult for users to access memory, and lessen the opportunity for exposure, Sentrigo said.
Sentrigo said it discovered the flaw a year ago and promptly reported it to Microsoft, which did not agree with Sentrigo's assessment of the flaw. Sentrigo said that users often reuse passwords for multiple business applications and personal use; with passwords exposed as cleartext, other users' bank accounts and sensitive data would be put at risk. Sentrigo backs up its concerns by citing the results of a Microsoft study that revealed the average user has 25 accounts requiring passwords, yet used six or seven unique passwords to access those accounts.
"While it is true that exploiting this vulnerability requires administrative access, it is common for multiple users to have this privilege within most IT organizations. Even if that person is entirely trustworthy, they should never be able to see another user's actual password," said Slavik Markovich, CTO of Sentrigo. "Furthermore, the risk of a hacker gaining administrative access to a server is always present, and the exposure of additional user passwords could greatly expand the breach to other systems."