Microsoft SQL Server divulges passwords
Can an administrator represent a security problem? A spat is developing between database security solutions provider Sentrigo and Microsoft over just this question. Microsoft SQL Server apparently saves login passwords to memory in plain text – from where they can be read by administrators.
Sentrigo's point is that since users often use the same passwords for different systems, this makes it unnecessarily easy for an attacker to compromise other applications. The vulnerability can be exploited remotely in both SQL Server 2000 and SQL Server 2005. Microsoft's DBCC utility for reading from memory has, however, been removed from SQL Server 2008.
Microsoft does not dispute that this possibility exists, but argues that an attacker must have administrator access to the system in order to be able to read from memory. Therefore, according to Microsoft, this does not represent a vulnerability. In their opinion, the chances of preventing a bad administrator from carrying out mischief or espionage are, anyway, extremely slim.
However, where an administrator's password has been stolen or cracked, through for example, an SQL injection vulnerability in the database application, then non-administrators may also be able to get hold of these passwords.
In Sentrigo's opinion, for an administrator, be he good or bad, to be able to view passwords is anyway a contravention of standard security best practice. It also notes that companies frequently have in place a role and privileges concept which forbids or prevents administrators from doing this. Most applications store passwords as hashes both on the hard drive and in memory.
Sentrigo's Passwordizer tool provides protection from this problem by deleting these passwords from memory. In addition to the tool itself, Sentrigo has also written an FAQ on using the tool. According to Microsoft, SQL authentication, which is required for passwords to be stored in memory, is deactivated by default. Instead SQL Server uses Windows authentication, which does not give rise to the same problem.
- SQL Server information disclosure non-vulnerability, blog entry by Microsoft