Sentrigo Uncovers Significant Password Exposure Vulnerability in Microsoft SQL Server

 

The security vulnerability was found by a member of Sentrigo’s Red Team, a group of security researchers which focuses on researching database applications in order to uncover security issues and creating protections against them. With the increasing enforcement of strong password criteria, users often utilize a set of common passwords across multiple systems, including both business systems and their personal applications. A study by Microsoft presented at the World Wide Web Conference (W3C) in May of 2007, found that users had roughly 25 accounts requiring passwords, yet on average used only 6-7 unique passwords across all sites. If compromised, these passwords could allow attackers to target additional systems within the organization, as well as to access personal accounts where the user may utilize the identical password.

 

“In the course of ongoing security research into SQL Server databases, one of our researchers noticed that the unique string of their personal password was clearly visible in memory in SQL Server,” said Slavik Markovich, CTO of Sentrigo. “While it is true that exploiting this vulnerability requires administrative access, it is common for multiple users to have this privilege within most IT organizations. Even if that person is entirely trustworthy, they should never be able to see another user’s actual password. Furthermore, the risk of a hacker gaining administrative access to a server is always present, and the exposure of additional user passwords could greatly expand the breach to other systems.”

 

While administrators can normally "reset" a user's password if needed, best practices in security do not allow even administrators to see the actual passwords of other users. Furthermore, applications go to great lengths to obfuscate passwords when they are needed within the software, and should not store passwords as "clear text", either in memory (as is the case with this vulnerability) or on disk. This is an even greater problem as many enterprises need to comply with various standards and regulations that require strict segregation of duties, which is clearly violated by sharing user’s passwords with the administrators.

 

"Sentrigo followed a proper course of action, by informing the vendor first, and allowing time for a fix to be released,” said Alexander Kornbrust, CEO of Red Database Security. “When it is clear that the vendor does not intend to address the issue, it is in the best interests of the entire SQL Server community to share the existence of the threat and provide an immediate solution. This vulnerability represents a credible threat to any organization running SQL Server, and I recommend IT organizations review their exposure, and implement a utility like Sentrigo’s to limit their risk."

 

Organizations that are using the mixed authentication mode (also known as “SQL Server and Windows Authentication Mode”) are vulnerable to this password exposure.

 

 

Microsoft SQL Server customers who are using Windows Authentication mode only are not exposed to this vulnerability.

 

Upon making the discovery, Sentrigo immediately alerted the MSRC team at Microsoft to the vulnerability. However, Microsoft has indicated that they do not intend to address the vulnerability at this time, and therefore Sentrigo is releasing a free software utility to allow users to protect their systems. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3039 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

 

For further information on how this vulnerability may affect your SQL Server environment, or to download the free utility to remove passwords from memory, please visit:   www.sentrigo.com/passwords/

 

Sentrigo, Inc. is a recognized innovator in database security. The company’s Hedgehog software provides full-visibility database activity monitoring and real-time protection and has been rapidly adopted by Global 2000 companies to defend mission-critical data against insider misuse as well as outsider intrusion. Enterprises across industry sectors are also using Sentrigo Hedgehog to accelerate compliance with regulatory requirements such as PCI DSS, Sarbanes-Oxley and HIPAA. Sentrigo has won wide acclaim for its industry and technology leadership by publications such as Network World and SC Magazine. For additional information or to download a free trial, visit www.sentrigo.com.

 

Sentrigo, Sentrigo Hedgehog, Hedgehog Identifier, Hedgehog vPatch and the Sentrigo logo are trademarks of Sentrigo, Inc. All other trademarks are the property of their respective holders.

 

# # #

 

Tim Whitman and Shweta Agarwal

Schwartz Communications, Inc.

781-684-0770