Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

SQL Vulnerability Leaves Passwords In The Clear, Researchers Say

With no patch forthcoming from Microsoft, Sentrigo launches workaround for flaw

A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today.

Researchers at database security vendor Sentrigo say that in SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords, Sentrigo says.

The vulnerability is most likely an insider threat because it requires administrative privileges, says Slavik Markovich, CTO of Sentrigo. However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection, he says.

The flaw may not directly affect the data in the database, since an administrator would have access to that data already, Slavik says. But many people reuse their passwords for other applications, and it is possible that the vulnerability might lead to the compromise of other users' work or personal accounts.

"Worst case, it might lead to one administrator stealing bank account data from another administrator," Slavik says. "People are not supposed to reuse their passwords, but it's a reality that they do."

The Sentrigo researchers found the vulnerability last September and informed Microsoft, Slavik says. However, after nearly a year of discussion, Microsoft has indicated that it considers the issue to be "minor" and has no plans to issue a specific patch, he says.

"We did not agree with Microsoft's classification of this vulnerability as a minor issue, and felt that it was in the best interest of SQL Server users to make the vulnerability public and provide a utility to remove the passwords from memory," Sentrigo says. "If we discovered this information, there is a high likelihood others [who may not be as ethical] could find it as well and abuse it."

Sentrigo feels that the vulnerability is a danger because so many users employ the same passwords for multiple applications, and because so many breaches are engineered by privileged users and administrators.

"Many applications are deployed with administrative privileges," Sentrigo observes. "Hackers using a simple SQL injection vulnerability can now access administrative passwords, which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005, where this can be done remotely.

"Since Microsoft doesn't have immediate plans to fix this vulnerability, we felt that the knowledge regarding its existence -- together with a free utility to repair it -- should be available to the public sooner than later," Sentrigo says.

One well-known security researcher, who requested anonymity, disagrees. "This seems like a nonissue," the researcher says. "Anyone with the ability to read process memory would also have the ability to just hook the authentication code and capture passwords that way. For once, Microsoft is right to ignore it."

Sentrigo acknowledges that administrators have the authority to reset passwords, but "there is a big difference between being able to reset a password to either a system-generated password which the administrator would not see (or to a password the administrator chooses) and actually seeing a user's personal password," the researchers say. "The latter involves much greater risk, including access to additional systems the password may be used on, potentially enabling access to user's private data, such as bank or brokerage accounts."

The Sentrigo fix, which the company has dubbed Passwordizer, replaces the password data with asterisks, making it impossible for administrators to read the passwords in memory. The utility is available now for free and works on any version of SQL Server.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.