Wed 2 Sep 2009
A member of Sentrigos’ security and research team, Assaf Nativ, found an interesting security issue in all versions of MS SQL Server. Turns out that SQL Server saves in memory in clear text user credentials (passwords) of users logging in using SQL Server native authentication. Users using Windows authentication are not affected. Although Microsoft recommends that only Windows authentication should be used, the reality is that many instances are configured to use mixed mode authentication with applications and administrators connecting to the instance using native authentication.
We, of course, reported this to MSRC about a year ago but received a response saying that this is not a security issue because it requires administrative privileges to exploit. Well, we respectfully disagreed and approached MSRC several times but without success in changing their mind.
I believe that this is indeed a security flaw that should be fixed for the following reasons:
- How many passwords do you use? For how many systems? You do the math 🙂 – most users reuse the same passwords between systems because it’s impossible to remember a separate strong password for all systems we use. Even administrators should not have access to end users’ set of passwords, as they can gain access to sensitive systems that were not open to them.
- Most breaches are perpetrated by skilled insiders (e.g. administrators, programmers, etc). It is for this very reason that various standards and regulations mandate segregation of duties.
- Many applications are deployed with administrative privileges. Hackers using a single SQL injection vulnerability can now access administrative passwords which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005 where this can be done remotely.
We, at Sentrigo, were convinced that SQL Server administrators out there should be aware of the danger and also should have a way to mitigate it so we’ve decided to publicize it and release a free tool to remove the clear text passwords from memory.
What do you think about this issue? I’d love to hear your thoughts.