Microsoft disputes password-stealing SQL Server bug
For more than a year, Microsoft has been sitting on a purported SQL Server vulnerability that could enable a malicious insider to obtain users' passwords, claims database security vendor Sentrigo.The software giant, however, said that the issue is not a security flaw.
The potential bug, which Sentrigo notified Microsoft about last September, involves SQL Server keeping passwords unencrypted in its database memory, Slavik Markovich, CTO at Sentrigo, told SCMagazineUS.com on Tuesday. The issue affects SQL Server 2000, 2005 and 2008, running on Windows operating systems.
Markovich said he believes this is a security issue because it enables any individual with administrative privileges to access SQL Server's process memory and see all the usernames and passwords that are stored for anyone who accessed either the server itself or applications that connect to the server.
“It's something that is security 101, something you never do -- share or see other people's passwords,” he said.
Since people often reuse the same passwords for multiple enterprise systems and for their personal lives, a malicious insider could use the stolen SQL Server credentials to access other systems or a user's personal accounts.
“If someone can see your password, think about all the other systems they could access,” Markovich said.
But Microsoft said that it has “thoroughly investigated” the issue and found that no vulnerability exists, a Microsoft spokesperson told SCMagazineUS.com in an email Tuesday. The software giant has no intention of offering a security update for the issue.
“As mentioned by the security researchers, in the scenario in question, an attacker would need administrative rights on the target system,” Microsoft said. “An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights.”
But Markovich contends that the issue could also be exploited by an outside attacker to escalate the damage of an SQL injection attack. If an attacker launched such an attack and obtained an administrator's password, they could be used to access SQL Server and potentially get the passwords to other systems.
Sentrigo issued a free tool Wednesday to erase stored passwords in SQL Server. Microsoft recommended end-users review its security guidance and guidelines literature.
