New Unpatched Flaw Surfaces in SQL Server

There is an unpatched flaw in Microsoft SQL Server that could enable an attacker to access users’ passwords on the database server. The vulnerability is in SQL Server 2000, 2005 and 2008.

The SQL Server vulnerability was discovered last fall by database-security vendor Sentrigo, which then reported the problem to Microsoft. But the software giant did not consider the problem serious enough to warrant a patch, Sentrigo officials said, so the weakness has remained unpatched for nearly a year. Sentrigo has released a free software tool that will address the problem, though it does not patch the vulnerability.

The tool, called Passwordizer, erases the cleartext passwords from the database server.

In a statement, Microsoft officials said the company is not planning to patch the flaw and does not see it as a problem that requires a security update.

The flaw lies in the way that SQL Server handles user passwords. By looking at the process memory, an administrator can see other users’ passwords in cleartext. However, in order to see the process memory dump, a user would have to have administrator rights already, a condition that limits the severity of the bug.

“Developers go to great lengths to ensure passwords are not even transmitted in clear text (for example at the time of login), let alone stored in a readable form. Users have come to expect that their personal passwords, are exactly that –personal – and that not even administrators can see them. Exploiting this vulnerability, an administrator will be able to see the passwords of users and applications that have connected to SQL Server, all the way back to the last restart,” said Slavik Markovich, CTO of Sentrigo. “We respectfully disagree with Microsoft’s view that since it requires administrative privileges, the risk is mitigated. Even if you trust your admins, there are plenty of hackers capable of gaining escalated privileges, who could now easily access other systems across the network using these passwords.”

The flaw can be exploited remotely in SQL Server 2000 and 2005, but in SQL Server 2008 Microsoft made a change to make it more difficult for administrators to access the memory, so an attacker would need local access to the machine in that case.