Researchers at database security vendor Sentrigo say that in SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords, Sentrigo says.
The vulnerability is most likely an insider threat because it requires administrative privileges, says Slavik Markovich, CTO of Sentrigo. However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection, he says.
The flaw may not directly affect the data in the database, since an administrator would have access to that data already, Slavik says. But many people reuse their passwords for other applications, and it is possible that the vulnerability might lead to the compromise of other users' work or personal accounts.
"Worst case, it might lead to one administrator stealing bank account data from another administrator," Slavik says. "People are not supposed to reuse their passwords, but it's a reality that they do."
The Sentrigo researchers found the vulnerability last September and informed Microsoft, Slavik says. However, after nearly a year of discussion, Microsoft has indicated that it considers the issue to be "minor" and has no plans to issue a specific patch, he says.
"We did not agree with Microsoft's classification of this vulnerability as a minor issue, and felt that it was in the best interest of SQL Server users to make the vulnerability public and provide a utility to remove the passwords from memory," Sentrigo says. "If we discovered this information, there is a high likelihood others [who may not be as ethical] could find it as well and abuse it."
Sentrigo feels that the vulnerability is a danger because so many users employ the same passwords for multiple applications, and because so many breaches are engineered by privileged users and administrators.
"Many applications are deployed with administrative privileges," Sentrigo observes. "Hackers using a simple SQL injection vulnerability can now access administrative passwords, which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005, where this can be done remotely.
"Since Microsoft doesn't have immediate plans to fix this vulnerability, we felt that the knowledge regarding its existence -- together with a free utility to repair it -- should be available to the public sooner than later," Sentrigo says.
One well-known security researcher, who requested anonymity, disagrees. "This seems like a nonissue," the researcher says. "Anyone with the ability to read process memory would also have the ability to just hook the authentication code and capture passwords that way. For once, Microsoft is right to ignore it."
Sentrigo acknowledges that administrators have the authority to reset passwords, but "there is a big difference between being able to reset a password to either a system-generated password which the administrator would not see (or to a password the administrator chooses) and actually seeing a user's personal password," the researchers say. "The latter involves much greater risk, including access to additional systems the password may be used on, potentially enabling access to user's private data, such as bank or brokerage accounts."
The Sentrigo fix, which the company has dubbed Passwordizer, replaces the password data with asterisks, making it impossible for administrators to read the passwords in memory. The utility is available now for free and works on any version of SQL Server.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.