Vulnerability Note VU#635463
Microsoft SQL Server and Microsoft Data Engine (MSDE) ship with a null default password
Overview
Microsoft SQL Server and Microsoft Data Engine ship with a null default password on the administrative account sa. If the system administrator does not set the password, the system may be vulnerable to attack.
Description
Microsoft SQL Server (MS SQL) and Microsoft Data Engine (MSDE) ship without a default password on the administrative account sa, permitting unauthorized access via port 1433 TCP/UDP. As long as the server has a null password, gaining access to the sa account is trivial. While it may not be enabled under a default configuration, MSDE ships as a component of several applications such as Microsoft Office 2000 and Tumbleweed's Secure Mail (MMS). Tumbleweed's Secure Mail (MMS) Releases 4.3, 4.5, and 4.6 all ship with MSDE enabled and are vulnerable under the default configuration. A patch has been released to address this vulnerability on these versions of MMS and incorporated into the release of 4.7. If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer is defined, then you have MS SQL Server or MSDE installed. You should check to see if the sa account exists and ensure that a password is set. Instructions to change the password are located at
http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/adminsql/ad_1_server_5un8.asp
http://www.microsoft.com/sql It should be noted that when installing Microsoft SQL Server 2000 (formerly MSDE), the application prompts for an sa password. If a blank password is entered, Microsoft SQL Server 2000 will display a warning but permit a blank password. The CERT/CC is interested in receiving reports related to the "Kaiten" or "SQL Worm Spida" activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#38873]". |
Impact
Through the use of various procedures such as xp_cmdshell(), an attacker can execute arbitrary commands on the system with whatever user privileges the Microsoft SQL services are running under. This is typically a user with "NT Authority\System". |
Solution
Set a password for your SQL Server on the sa adminitration account. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | 26 Nov 2001 | 27 Nov 2001 |
| Tumbleweed | Affected | - | 27 Nov 2001 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.cert.org/incident_notes/IN-2001-13.html
- http://www.cert.org/incident_notes/IN-2002-04.html
- http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322336
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/modadmin/html/deconchangingsqlserveradministratorlogin.asp
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_1_server_5un8.asp
- http://www.microsoft.com/Office/techinfo/productdoc/2002/en/access/AboutEnablingMixedModeSecurityInAnAc.htm
- http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm
- http://www.tumbleweed.com/en/products/docs/mms/MMSRN.html
- http://www.sqlmag.com/Articles/Index.cfm?ArticleID=7840
- http://www.iss.net/security_center/static/1459.php
- http://www.securityfocus.com/bid/4797
Credit
This document was written by Jason Rafail.
Other Information
- CVE IDs: Unknown
- Date Public: 10 Aug 2000
- Date First Published: 27 Nov 2001
- Date Last Updated: 20 Jun 2002
- Severity Metric: 33.75
- Document Revision: 30
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.