News Stay informed about the latest enterprise technology news and product updates.

Unpatched vulnerability discovered in Microsoft SQL Server

Database security vendor Sentrigo today released some detail about a flaw discovered a year ago in Microsoft SQL Server that exposes passwords stored in memory as cleartext. Microsoft is not planning to patch this flaw. Sentrigo released a free utility that will erase cleartext passwords from memory. Updated to include comments from Microsoft.

Updated to include comments from Microsoft.

Microsoft SQL Server administrators are being warned today about an unpatched vulnerability in the popular database software that exposes user passwords in the clear, as well as credentials delivered by applications trying to access the database server.

More SQL Server
security resources
SQL injection continues to trouble firms, lead to breaches: Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.
Enterprise security of SQL Server 2008 improves: Discover new security features and protections in Microsoft SQL Server 2008 such as reporting services, password policy, database controls and encryption.

Researchers at San Mateo, Calif.-based Sentrigo Inc., announced the flaw this morning, and also revealed that Microsoft said it has no plans to release a patch for the vulnerability. Sentrigo, meanwhile, said it has developed a free utility that will erase these passwords from memory. The utility is available for download.

Microsoft said it investigated Sentrigo's claims and determined this was not a vulnerabilitiy requiring a security update.

"As mentioned by the security researchers, in the scenario in question, an attacker would need administrative rights on the target system. An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in a statement. "Microsoft recommends that enterprise customers review and implement security measures as discussed in our security guidance and that all users follow our general guidelines to protect their PC. "

The vulnerability enables administrators to see unencrypted credentials in SQL Server process memory using tools that are readily available to database administrators. Administrator privileges are required to dump system memory, and in most organizations more than one individual has admin privileges. Applications also often run with administrator permissions and if those apps are vulnerable to SQL injections, those attacks could expose passwords.

Sentrigo said in a release today that the vulnerability exists in SQL Server 2000, 2005 and 2008 running on Windows. Changes made to SQL Server 2008 make it difficult for users to access memory, and lessen the opportunity for exposure, Sentrigo said.

Sentrigo said it discovered the flaw a year ago and promptly reported it to Microsoft, which did not agree with Sentrigo's assessment of the flaw. Sentrigo said that users often reuse passwords for multiple business applications and personal use; with passwords exposed as cleartext, other users' bank accounts and sensitive data would be put at risk. Sentrigo backs up its concerns by citing the results of a Microsoft study that revealed the average user has 25 accounts requiring passwords, yet used six or seven unique passwords to access those accounts.

"While it is true that exploiting this vulnerability requires administrative access, it is common for multiple users to have this privilege within most IT organizations. Even if that person is entirely trustworthy, they should never be able to see another user's actual password," said Slavik Markovich, CTO of Sentrigo. "Furthermore, the risk of a hacker gaining administrative access to a server is always present, and the exposure of additional user passwords could greatly expand the breach to other systems."

Dig Deeper on Database Security Management-Enterprise Data Protection

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.