Passwordizer
Next steps
Request a demo
Contact me
Sales
+1 (781) 935-2867
OR +44 (0)2076 499959
Download Now
Passwordizer - FAQ
Announcement Background
What was announced?
Sentrigo announced that a security vulnerability was discovered in Microsoft SQL Server, whereby unencrypted user passwords can be seen openly by reviewing the contents of SQL Server process memory using widely available tools. In order to provide protection for all SQL Server systems, Sentrigo is making a tool to erase these passwords available for download at no charge.
How big a threat is this?
In the opinion of our security research team, the ability for any user to see another user’s password is a serious issue.
With the increasing enforcement of strong password criteria, users often utilize a set of common passwords across multiple systems, including both business systems and their personal applications. Microsoft’s own research presented at W3C in May of 2007 found that users had about 25 accounts requiring passwords, and yet they only utilized an average of 6.5 passwords shared across all logins (see http://research.microsoft.com/en-us/um/people/cormac/papers/www2007.pdf ). Thus, with the password exposed, access to other applications beyond the authority of the administrator is now possible, potentially to the user's private data such as bank or brokerage accounts.
But don’t you have to be an administrator to dump memory?
Yes, to view the contents of system memory a user must have admin privileges. However, in most organizations, more than one individual has such access, and each could see the passwords of the others. Given that users often use the same password for multiple applications as noted above, seeing these passwords is not acceptable. In addition, since many applications are run with administrative privileges, a simple SQL injection vulnerability in an application could reveal user passwords.
Can’t administrators just reset our passwords anyway?
There is a big difference between being able to reset a password to either a system-generated password which the administrator would not see (or to a password the administrator chooses) and actually seeing a user’s personal password. The latter involves much greater risk, including access to additional systems the password may be used on, potentially enabling access to user’s private data such as bank or brokerage accounts.
Why didn’t you tell Microsoft about this, and let them solve it?
Sentrigo notified Microsoft in September 2008, when we initially discovered this vulnerability, as we have done for similar issues we have found previously with SQL Server, and as we do with other vendor software. However, we did not agree with Microsoft’s classification of this vulnerability as a minor issue, and felt that it was in the best interest of SQL Server users to make the vulnerability public, and provide a utility to remove the passwords from memory. If we discovered this information, there is a high likelihood others (who may not be as ethical) could find it as well and abuse it.
Why don’t you agree with Microsoft’s reaction?
As stated above, we disagree with Microsoft’s position for the following reasons:
- Even System Administrators should not have access to end users’ set of passwords, especially as users tend to reuse the same passwords across systems (e.g. DBAs might use the same passwords on testing environments as well as on sensitive databases in production).
- Most breaches are perpetrated by skilled insiders (e.g. System Administrators, programmers, etc). It is for this very reason that various standards and regulations mandate segregation of duties.
- Many applications are deployed with administrative privileges. Hackers using a simple SQL injection vulnerability can now access administrative passwords which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005 where this can be done remotely.
Since Microsoft doesn’t have immediate plans to fix this vulnerability we felt that the knowledge regarding its existence – together with a free utility to repair it – should be made available to the public at this time.
What versions of SQL Server are affected?
We have confirmed that the vulnerability exists in SQL Server 2000, SQL Server 2005, and SQL Server 2008, running on all supported Windows operating systems. In SQL Server 2008, Microsoft has made some changes to make it more difficult for users to access the memory (prior releases can be exploited remotely using DBCC), however the vulnerability can still be easily exploited locally in all versions. By running our simple software tool, you can see the first and last character of passwords as they are erased, demonstrating what is stored in memory.
Sentrigo’s Utility
How much does the software cost?
Sentrigo is making this software available for download free from our website, so that all users can install it immediately.
Are you planning to charge for updates later?
It was never Sentrigo’s plan to make money from this vulnerability. In fact, we expected Microsoft would schedule this for a patch as soon as possible, and simply credit us for discovering it. So, we don’t intend to charge for this in the future either.
Where can I get the utility?
The software can be downloaded by visiting http://www.sentrigo.com/passwords/ . You will be asked to provide a limited amount of information so that we may contact you if we make any updates to the tool, and to provide you with information on our other database security solutions.
Is the utility safe to install and run on production servers?
We have tested the utility on a range of different systems, and believe it to be safe to run on any SQL Server environment. However, we would still recommend as best practice testing the software in a staging environment if you have one before running it in production. Since the software does indeed modify memory (to clear the passwords), we ask all users to accept a disclaimer prior to downloading.
Are all user logins affected?
The vulnerability exists only when using mixed authentication in the SQL Server, which is typically used by DBA’s, system administrators, developers, and application programmers . If you cannot install the utility, we strongly recommend you use Windows Authentication only, in which case you will not be exposed to the vulnerability.
Is my system secure after running the utility once?
Unfortunately not. As long as you use mixed authentication, any new logins will add new clear text passwords to the memory. We advise administrators to configure the utility to run periodically to clear up passwords from the memory, and set it up in a way that you would be aware if this was disabled.
There are many available tools to schedule jobs on Windows systems.
For example Windows provides the Task Scheduler component (see http://en.wikipedia.org/wiki/Task_Scheduler ) which can be used to schedule a batch script that will identify the relevant SQLServer process ID and will launch Passwordizer. In addition, Windows provides mechanisms such as WMI to query the status of a task from a remote computer and validate that the task was indeed executed.
Background on Sentrigo
Who is Sentrigo, and how did you find this vulnerability?
Sentrigo is a leading vendor of database security solutions, including solutions for Database Activity Monitoring, real-time Intrusion Prevention Systems, and Virtual Patching. Our software is used by customers across the globe to protect SQL Server, Oracle, and Sybase databases from external hackers as well as insider threats.
The vulnerability was discovered as a result of Sentrigo’s research into possible attack vectors that hackers are likely to adopt. We invest in a dedicated team of security researchers, called the Red Team, to constantly analyze these systems for vulnerabilities. When discovered, we notify the vendor, and immediately provide protection through our Hedgehog product suite protecting our customer’s systems until a patch is release by the vendor, and it can be applied to all servers.
What other software do you provide?
Sentrigo offers a range of solutions for database security, including additional free applications, as well as enterprise-class products which may be purchased:
Hedgehog Enterprise™ is the only database activity monitoring product to provide full visibility into all activity, including local privileged access, protecting the database in real-time with actionable alerts and intrusion prevention capabilities.
Hedgehog is built on a memory-based architecture that cannot be bypassed by those who have direct access to the database. In addition, Hedgehog is uniquely suited for use in virtualized environments—unlike network-based appliances, Hedgehog sensors can transparently monitor transactions between virtual machines running within a physical server.
Hedgehog is built on a memory-based architecture that cannot be bypassed by those who have direct access to the database. In addition, Hedgehog is uniquely suited for use in virtualized environments—unlike network-based appliances, Hedgehog sensors can transparently monitor transactions between virtual machines running within a physical server.
Hedgehog vPatch is a subscription service that protects customers’ databases against known and zero day exploits during the critical time from when a vulnerability is discovered until a vendor patch can be applied. Unlike vendor patching, Hedgehog vPatch requires no downtime or application testing.
Hedgehog IDentifier is an add-on to Hedgehog Enterprise for detecting the person responsible for database activity in a pooled connection environment. IDentifier allows companies to conduct full audits for compliance purposes and to enforce granular control over database access policies.
Hedgehog IDentifier is an add-on to Hedgehog Enterprise for detecting the person responsible for database activity in a pooled connection environment. IDentifier allows companies to conduct full audits for compliance purposes and to enforce granular control over database access policies.
Hedgehog Standard™ is a free version of the powerful Hedgehog software for smaller database environments, and is limited to alerting only. For more information, or to download this and other Sentrigo database activity monitoring products, please visit http://www.sentrigo.com.
Repscan is a vulnerability assessment and security scanning solution for Oracle databases. Developed by one of the world’s foremost authorities on Oracle security – Alexander Kornbrust of Red-Database-Security – Repscan provides a crystal clear picture of Oracle's security level with simple remediation instructions.
FuzzOr is an open source fuzzing tool for Oracle databases designed to identify vulnerabilities found in software applications written in PL/SQL code. The free utility allows PL/SQL programmers, database administrators (DBAs) and security professionals to identify and repair vulnerabilities that may be exploited via SQL injection and buffer overflow attacks—the most common techniques used by hackers to launch attacks on databases.
______________________________________________________________
What are the licensing terms for Passwordizer?
Disclaimer:
Access to Passwordizer requires the user accept the license agreement, which includes the following Limitation of Liability: The Product is provided "AS IS". Sentrigo shall have no liability whatsoever in connection with or arising out of any use of the Product. You acknowledge that running the Product may result in memory corruption, database process crashing and loss and other unforeseeable results of intervention with the database memory. Sentrigo and its affiliates, suppliers, licensors, distributors or resellers shall not, under no circumstances and under no legal theory, including, but not limited to, tort, contract, negligence, strict liability, breach of warranty or otherwise, be liable to You or to any third party for any direct, indirect, special, incidental, or consequential or exemplary damages whatsoever (including, without limitation, damages for lost profits, business interruption, loss of business information, damage or destruction of data, loss of goodwill, work stoppage, accuracy of results, computer failure, malfunction, fire, electrical failure or short circuit, even if Sentrigo has been advised as to the possibility of such damages), or any other damages, including , without limitation, those arising out of the use of or inability to use the Product, and/or out of this Agreement and/or out of any relationship or agreement between Sentrigo and You, unless otherwise expressly stipulated in writing. The entire liability of Sentrigo (including its affiliates, suppliers, licensors, distributors or resellers) for damages of any kind whatsoever arising out of this Agreement or related in any way thereto shall be limited to the amount of US$1.00. The foregoing limitations shall apply even if Sentrigo shall have been informed of the possibility of such damages and notwithstanding the failure of essential purpose of any limited remedy.