Password exposure vulnerability in Microsoft SQL Server

Sentrigo has discovered a vulnerability in Microsoft SQL Server that allows any user with administrative privileges to openly see the unencrypted passwords of other users, or the credentials presented by applications accessing the server using SQL Server authentication.

“In the course of ongoing security research into SQL Server databases, one of our researchers noticed that the unique string of their personal password was clearly visible in memory in SQL Server,” said Slavik Markovich, CTO of Sentrigo. “While it is true that exploiting this vulnerability requires administrative access, it is common for multiple users to have this privilege within most IT organizations. Even if that person is entirely trustworthy, they should never be able to see another user’s actual password. Furthermore, the risk of a hacker gaining administrative access to a server is always present, and the exposure of additional user passwords could greatly expand the breach to other systems.”

While administrators can normally “reset” a user’s password if needed, best practices in security do not allow even administrators to see the actual passwords of other users. Furthermore, applications go to great lengths to obfuscate passwords when they are needed within the software, and should not store passwords as “clear text”, either in memory (as is the case with this vulnerability) or on disk. This is an even greater problem as many enterprises need to comply with various standards and regulations that require strict segregation of duties, which is clearly violated by sharing user’s passwords with the administrators.

Organizations that are using SQL Server 2000, 2005 and 2008, running on all supported Windows platforms and are using the mixed authentication mode (also known as “SQL Server and Windows Authentication Mode”) are vulnerable to this password exposure.

Microsoft SQL Server customers who are using Windows Authentication mode only are not exposed to this vulnerability.