SQL Server information disclosure non-vulnerability

We’ve gotten some questions about a reported issue with SQL Server exposing plaintext user passwords. We investigated the issue and found that attackers would need administrative control of a SQL Server to extract passwords from it. We checked with the security researchers who reported the issue and they confirmed that this is an information disclosure issue requiring the attacker to first have administrative control of the installation. Therefore, we do not consider this a bulletin class vulnerability. As we have mentioned in previous blog entries, it is impossible to defend against a malicious administrator. In the end, you’ve simply got to trust your legitimate administrators and keep attackers from gaining administrative access (see Immutable Law of Security #6).

SQL Server 2008 installations actually have reduced exposure to this specific issue as the SQL team has removed specific commands that enable SQL administrators to dump memory from within SQL. And neither SQL Server 2005 nor SQL Server 2008 have SQL authentication enabled by default. (If you use the default Windows Authentication Mode instead of SQL authentication, SQL Server does not receive or store your Windows credentials.) However, any compromised system into which you enter credentials is at risk from a malicious administrator. There are a few other ways for a malicious administrator to gain user credentials. It’s really very difficult to defend a program running on a system where an attacker has full administrative control.

Thanks Ben Richeson from the MSRC Ops team and Al Comeau from the SQL team for help with this one.

– Jonathan Ness, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*