Microsoft disputes password-stealing SQL Server bug

Share this article:
For more than a year, Microsoft has been sitting on a purported SQL Server vulnerability that could enable a malicious insider to obtain users' passwords, claims database security vendor Sentrigo.

The software giant, however, said that the issue is not a security flaw.

The potential bug, which Sentrigo notified Microsoft about last September, involves SQL Server keeping passwords unencrypted in its database memory, Slavik Markovich, CTO at Sentrigo, told SCMagazineUS.com on Tuesday. The issue affects SQL Server 2000, 2005 and 2008, running on Windows operating systems.  

Markovich said he believes this is a security issue because it enables any individual with administrative privileges to access SQL Server's process memory and see all the usernames and passwords that are stored for anyone who accessed either the server itself or applications that connect to the server.

“It's something that is security 101, something you never do -- share or see other people's passwords,” he said.

Since people often reuse the same passwords for multiple enterprise systems and for their personal lives, a malicious insider could use the stolen SQL Server credentials to access other systems or a user's personal accounts.  

“If someone can see your password, think about all the other systems they could access,” Markovich said.

But Microsoft said that it has “thoroughly investigated” the issue and found that no vulnerability exists, a Microsoft spokesperson told SCMagazineUS.com in an email Tuesday. The software giant has no intention of offering a security update for the issue.

“As mentioned by the security researchers, in the scenario in question, an attacker would need administrative rights on the target system,” Microsoft said. “An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights.”

But Markovich contends that the issue could also be exploited by an outside attacker to escalate the damage of an SQL injection attack. If an attacker launched such an attack and obtained an administrator's password, they could be used to access SQL Server and potentially get the passwords to other systems.

Sentrigo issued a free tool Wednesday to erase stored passwords in SQL Server. Microsoft recommended end-users review its security guidance and guidelines literature.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.