Release Management Authors: Pat Romanski, Elizabeth White, David H Deans, Liz McMillan, Jnan Dash

News Feed Item

Sentrigo Uncovers Significant Password Exposure Vulnerability in Microsoft SQL Server

Sentrigo, Inc., the innovator in database security software, today announced that it has discovered a significant vulnerability in Microsoft SQL Server, that allows any user with administrative privileges to openly see the unencrypted passwords of other users, or the credentials presented by applications accessing the server using SQL Server authentication. In order to ensure all SQL Server users are able to quickly protect their systems, Sentrigo has released a free utility to erase these passwords, which can be downloaded starting today from the company’s website.

The security vulnerability was found by a member of Sentrigo’s Red Team, a group of security researchers who focus on researching database applications in order to uncover security issues and creating protections against them. With the increasing enforcement of strong password criteria, users often utilize a set of common passwords across multiple systems, including both business systems and their personal applications. A study by Microsoft presented at the World Wide Web Conference (W3C) in May of 2007, found that users had roughly 25 accounts requiring passwords, yet on average used only 6-7 unique passwords across all sites. If compromised, these passwords could allow attackers to target additional systems within the organization, as well as to access personal accounts where the user may utilize the identical password.

“In the course of ongoing security research into SQL Server databases, one of our researchers noticed that the unique string of their personal password was clearly visible in memory in SQL Server,” said Slavik Markovich, CTO of Sentrigo. “While it is true that exploiting this vulnerability requires administrative access, it is common for multiple users to have this privilege within most IT organizations. Even if that person is entirely trustworthy, they should never be able to see another user’s actual password. Furthermore, the risk of a hacker gaining administrative access to a server is always present, and the exposure of additional user passwords could greatly expand the breach to other systems.”

While administrators can normally "reset" a user's password if needed, best practices in security do not allow even administrators to see the actual passwords of other users. Furthermore, applications go to great lengths to obfuscate passwords when they are needed within the software, and should not store passwords as "clear text", either in memory (as is the case with this vulnerability) or on disk. This is an even greater problem as many enterprises need to comply with various standards and regulations that require strict segregation of duties, which is clearly violated by sharing user’s passwords with the administrators.

"Sentrigo followed a proper course of action, by informing the vendor first, and allowing time for a fix to be released,” said Alexander Kornbrust, CEO of Red Database Security. “When it is clear that the vendor does not intend to address the issue, it is in the best interest of the entire SQL Server community to share the existence of the threat and provide an immediate solution. This vulnerability represents a credible threat to any organization running SQL Server, and I recommend IT organizations review their exposure, and implement a utility like Sentrigo’s to limit their risk."

Who Is Affected?

Organizations that are using SQL Server 2000, 2005 and 2008, running on all supported Windows platforms and are using the mixed authentication mode (also known as “SQL Server and Windows Authentication Mode”) are vulnerable to this password exposure.

Microsoft SQL Server customers who are using Windows Authentication mode only are not exposed to this vulnerability.

Upon making the discovery, Sentrigo immediately alerted the MSRC team at Microsoft to the vulnerability. However, Microsoft has indicated that they do not intend to address the vulnerability at this time, and therefore Sentrigo is releasing a free software utility to allow users to protect their systems. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3039 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

For further information on how this vulnerability may affect your SQL Server environment, or to download the free utility to remove passwords from memory, please visit: www.sentrigo.com/passwords/.

About Sentrigo

Sentrigo, Inc. is a recognized innovator in database security. The company’s Hedgehog software provides full-visibility database activity monitoring and real-time protection and has been rapidly adopted by Global 2000 companies to defend mission-critical data against insider misuse as well as outsider intrusion. Enterprises across industry sectors are also using Sentrigo Hedgehog to accelerate compliance with regulatory requirements such as PCI DSS, Sarbanes-Oxley and HIPAA. Sentrigo has won wide acclaim for its industry and technology leadership by publications such as Network World and SC Magazine. For additional information or to download a free trial, visit www.sentrigo.com.

Sentrigo, Sentrigo Hedgehog, Hedgehog Identifier, Hedgehog vPatch and the Sentrigo logo are trademarks of Sentrigo, Inc. All other trademarks are the property of their respective holders.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

IoT & Smart Cities Stories
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER gives detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPOalso offers sp...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...