Return to LifeAsBob
Horkay Blog
The postings on this site are my own and do not represent my Employer's positions, advice or strategies.
Wednesday, September 02, 2009
Unpatched Vulnerabiltiy discovered in Microsoft SQL Server

There are many emphases for the SQL DBA, one of the major items is security.  Where I work security and patching have taken on new importance over the past 12 months.  Patching which used to be a yearly event, is now monthly or even weekly.  Combine that with SOX Controls and other internal controls, there is a focus on security.  Part of that is seen in SQL Server from Microsoft, kudos! 

The product gained a new level of security with SQL Server 2005.  Service Pack 2 gave us Login Triggers / Service Broker Events.  SQL 2008 saw the Builtin\Administrators account gone (separation of duties) and even more controls.

Than today it was distressing to see a news report about Microsoft ignoring a vulnerability with SQL Server, basically dismissing it as anyone with administrator privileges already has control [What happenned to separation of duties?].  The whole point of where security with SQL Server was going was to ensure that administrators could be properly segmented.  Where I work they'd like to get to the point where a SQL DBA can't even view or query the data that they administer.

If you find the below security vulnerability to be an issue than complain to Microsoft.  Also if you didn't know about this vulnerability, than you need to ensure to plug-in to some other industry news sources to get your information on vulnerability and patches, as you can't always count on Microsoft to disclose issues.

-----Original Message-----
From: Security Wire Daily [mailto:SearchSecurity@lists.techtarget.com]
Sent: Wednesday, September 02, 2009 10:38 AM
Subject: New SQL Server password flaw surfaces

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SearchSecurity.com: Security Wire Daily
Breaking security news, the latest industry developments and trends
September 02, 2009
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

UNPATCHED VULNERABILITY DISCOVERED IN MICROSOFT SQL SERVER
Michael S. Mimoso, Editor, Information Security magazine

Microsoft SQL Server administrators are being warned today about an
unpatched vulnerability in the popular database software that exposes
user passwords in the clear, as well as credentials delivered by
applications trying to access the database server.

Researchers at San Mateo, Calif.-based Sentrigo Inc., announced the
flaw this morning, and also revealed that Microsoft has no immediate
plans to release a patch for the vulnerability. Sentrigo, meanwhile,
said it has developed a free utility that will erase these passwords
from memory.
Read more:
http://go.techtarget.com/r/9124859/8704472

Wednesday, September 02, 2009 12:19:21 PM (Central Standard Time, UTC-06:00) | Comments [3] | SQL Server#
Wednesday, September 02, 2009 1:35:52 PM (Central Standard Time, UTC-06:00)
The reason most of us aren't making a big deal out of this is immutable law #6:


Law #6: A computer is only as secure as the administrator is trustworthy

If I have admin rights, I have debug rights. While you can do things to protect memory... yeah.


K. Brian Kelley
Thursday, September 03, 2009 7:23:06 AM (Central Standard Time, UTC-06:00)
I agree with Law #6, but I also beleive that maintaining seperation of duties between your administrators is extremely important.

The enterprise is too big to have one administrator be able to access everything. This vulnerability could allow a local administrator to gain control of the SQL Database.

With Microsoft's consistent release of cumulative updates, I can't beleive they ignored this and just didn't roll it up with a CU; if nothing else just to stop discussions like this.
bob
Thursday, September 03, 2009 7:58:40 AM (Central Standard Time, UTC-06:00)
A member of the local administrators group can already take control, though. Think about all the times a SQL Server is going to have to come down. Monthly patching is one example. When it does:

1) I can stop the SQL Server service and copy off the database files (EFS and TDE can stop this, to some extent).
2) I can restart SQL Server in single user mode and I now have sysadmin access, starting with SQL Server 2005 (this is a well-known backdoor).

Also:

3) I can use other methods of grabbing a previously logged on user's domain credentials (and this is hard to audit for). Meaning I can get the DBA's credentials.
4) As an admin I can root a DBA's box.

You get the idea. So what it all basically boils down to is you have to trust your admins but audit what they're doing. And the fact that an admin is logging on to a SQL Server box (with proper logging turned on, you'll even see the remote login) should generate some sort of check, if security is that tight on a box.


K. Brian Kelley
Comments are closed.
Subscribe: Feed your aggregator (RSS 2.0)
Copyright 2010 Robert J. Horkay
newtelligence dasBlog 2.0.7226.0
Search
Popular Posts
Unpatched Vulnerabiltiy discovered ...
Spring Fornicator brewed...
The patching game.
DTA - Failed to initialize MSDB dat...
CRM 3 to SQL Server 2005...
Recent Posts
Archive
May, 2010 (2)
April, 2010 (3)
March, 2010 (1)
February, 2010 (4)
January, 2010 (1)
December, 2009 (3)
November, 2009 (2)
October, 2009 (2)
September, 2009 (5)
August, 2009 (4)
July, 2009 (8)
June, 2009 (2)
May, 2009 (3)
April, 2009 (9)
March, 2009 (6)
February, 2009 (3)
January, 2009 (8)
December, 2008 (8)
November, 2008 (4)
October, 2008 (14)
September, 2008 (10)
August, 2008 (7)
July, 2008 (7)
June, 2008 (11)
May, 2008 (14)
April, 2008 (12)
March, 2008 (17)
February, 2008 (10)
January, 2008 (13)
December, 2007 (7)
November, 2007 (8)
Links
10 Minute Mail
SQL Internals Viewer
SQL Scripts 2005
MSSQL Technet Best Practices
BeeFolks
Revolution !
Northern Brewer
USMC Disbursers
dasBlog
Categories
 All Categories
 
 
 
 
Admin Login
Sign In
Blogroll
 SQLBlog