Microsoft SQL Server and Microsoft Data Engine (MSDE) ship with a null default password

Overview

Microsoft SQL Server and Microsoft Data Engine ship with a null default password on the administrative account sa. If the system administrator does not set the password, the system may be vulnerable to attack.

Description

Microsoft SQL Server (MS SQL) and Microsoft Data Engine (MSDE) ship without a default password on the administrative account sa, permitting unauthorized access via port 1433 TCP/UDP. As long as the server has a null password, gaining access to the _sa _account is trivial. While it may not be enabled under a default configuration, MSDE ships as a component of several applications such as Microsoft Office 2000 and Tumbleweed’s Secure Mail (MMS). Tumbleweed’s Secure Mail (MMS) Releases 4.3, 4.5, and 4.6 all ship with MSDE enabled and are vulnerable under the default configuration. A patch has been released to address this vulnerability on these versions of MMS and incorporated into the release of 4.7.

If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer is defined, then you have MS SQL Server or MSDE installed. You should check to see if the sa account exists and ensure that a password is set. Instructions to change the password are located at

http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/modadmin/html/deconchangingsqlserveradministratorlogin.asp
http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/adminsql/ad_1_server_5un8.asp

An NT administrator has the option to install MS SQL or MSDE with integrated security or in mixed mode. If you select integrated security you are not vulnerable; however, when mixed mode is chosen, the sa account is created without a password. For more information about this selection and how to change the password in mixed mode, please see

http://www.microsoft.com/Office/techinfo/productdoc/2002/ en/access/AboutEnablingMixedModeSecurityInAnAc.htm
<http://www.microsoft.com/sql&gt;

It should be noted that when installing Microsoft SQL Server 2000 (formerly MSDE), the application prompts for an sa password. If a blank password is entered, Microsoft SQL Server 2000 will display a warning but permit a blank password.

The CERT/CC is interested in receiving reports related to the “Kaiten” or “SQL Worm Spida” activity. If machines under your administrative control are compromised, please send mail to [email protected] with the following text included in the subject line: “[CERT#38873]”.

---

Impact

Through the use of various procedures such as xp_cmdshell(), an attacker can execute arbitrary commands on the system with whatever user privileges the Microsoft SQL services are running under. This is typically a user with “NT Authority\System”.

---

Solution

Set a password for your SQL Server on the**sa**** adminitration account.**

Following best practices, passwords should never be left at their default value. Ensure that a password has been assigned to the sa account on MS-SQL servers under your control.

---

Vendor Information

635463

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation Affected

Notified: November 26, 2001 Updated: November 27, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635463 Feedback>).

Tumbleweed __ Affected

Updated: November 27, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Tumbleweed Secure Mail (MMS) releases 4.3, 4.5, and 4.6 all ship with MSDE enabled and are vulnerable under the default configuration. A patch has been released to address this vulnerability on these versions of MMS and incorporated into the release of 4.7.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635463 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322336&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/modadmin/html/deconchangingsqlserveradministratorlogin.asp&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_1_server_5un8.asp&gt;
• <http://www.microsoft.com/Office/techinfo/productdoc/2002/en/access/AboutEnablingMixedModeSecurityInAnAc.htm&gt;
• <http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm&gt;
• <http://www.tumbleweed.com/en/products/docs/mms/MMSRN.html&gt;
• <http://www.sqlmag.com/Articles/Index.cfm?ArticleID=7840&gt;
• <http://www.iss.net/security_center/static/1459.php&gt;
• <http://www.securityfocus.com/bid/4797&gt;

Acknowledgements

This document was written by Jason Rafail.

Other Information

CVE IDs:	CVE-2000-1209
Severity Metric:	33.75 Date Public: