SQL Server Security Alerts and Information
Every piece of software has security issues and SQL Server is no exception.
Because this is server product and many DBAs do not manage the external security
for their systems, I often find unpatched servers with vulernabilities. Now there are
not too many alerts for SQL Server, but there are a few. Below are links to patches as
well as other resources for keeping informed.
I will continue to update this area as new alerts are released. Please check back
periodically for updates. I will also be adding some articles on SQL Security and
best practices that should be followed.
Security Alerts
New Security Alert (Released 6-12-01):
SQL Query Method Enables Cached Administrator Connection to be Reused
SQL Query Method Enables Cached Administrator Connection to be Reused
A new alert was released on June 12, 2001 that affects SQL Server 7 and SQL Server 2000
Technical description:
When a client connection to a SQL Server is
terminated, it remains cached for a short period of time for performance
reasons. One SQL query method contains a flaw that has the effect of making it
possible for one user’s query to reuse a cached connection that belonged to the
sa account.
Exploiting this vulnerability would enable an attacker to execute the query
using the administrator’s security context. This would give her the ability to
take any desired action on the database; moreover, it would give her the ability
to run extended stored procedures, thereby giving her the opportunity to run
code of her choice and assume de facto control of the server itself.
http://www.microsoft.com/technet/security/bulletin/MS01-018.asp
Visual Studio VB T-SQL Object Contains Unchecked Buffer.
If you develop applications or install applications developed in VB, this is a possible
security risk. Your developers may want to apply this patch, though I am not sure how
much of a risk this is.
http://www.sans.org/newlook/alerts/NTE-bank.htm
If you use NT in an e-commerce environment read this!
one.
The SANS Insitute released this notice after being informed of attacks by the FBI. Eastern Europe
hackers appear to be targeting NT e-commerce sites for extortion. You can get the tool to scan your
systems from The Center for Internet Security
here.
http://www.microsoft.com/technet/security/bulletin/MS01-013.asp
A critical alert for all Windows 2000 Servers. Let your system admins know about this
one.
Service Pack 3 for SQL Server v7.0
Service pack 3 is available for SQL Server 7.0 and fixes a number of bugs and security holes.
The fix list is at Q274797 and
includes the version numbers for all service packs.
Extended Stored Procedure Parameter Parsing Vulnerability (December 2000)
A patch was posted December 1, 2000 for a vulnerability in extended stored procedures. A malicious user
could cause a buffer overrun to occur with a sufficiently long parameter. While not a likely risk for most
installations, you should read this to see if you are affected. SQL 7, MSDE, and SQL 2000 are affected.
DTS Password Vulnerability
There is a bug in v7.0 that would allow a user to view the passwords that
are stored in DTS packages. The patch disallows non-sa or non-creators to access
these passwords.
Patch Available for
Stored Procedure Permissions Vulnerability
A user without EXECUTE permissions could possible execute a stored procedure if
certain conditions exist in your server. This is NOT patched in SP2.
Service Pack 2
While you should definitely test them, Service Packs are a must install. They contain
many fixes and once you have tested them, you should definitely install them on your server.
C2 Security
Microsoft SQL Server 2000 has received the C2 security rating from the National Security Administration (NSA) which was
one of the goals that the SQL Server development team mentioned at TechEd 2000. One of the main items that allowed
this goal to be met was the enhanced Profiler auditing of the events that occur inside SQL Server.
Microsoft has published documents that describes the C2 setup of SQL Server. There are a couple of
important caveats to be aware of for securing SQL Server at the C2 level.
- NT 4.0 is required as the OS and it must be secured as a C2 system.
- NT authentication is required. SQL Seucrity is not supported, therefore you cannot really secure the
server in many installations.
- Only transactional replication is supported.
- The following are not included in the evaluation: SQL Mail, Full Text Search, English Query,
DTC, Meta Data Services, and Analysis Services. The SQL Mail along is a reason many sites (mine included)
would not even try to implement this level of security.
I am not sure who really needs C2 (outside of the military) and it appears to require only the base RDBMS engine
and a bunch of management effort. While probably worth it in some instances, I would not recommend anyone
implement this as a marketing move. Unless you truly want to be a full time administrator.
The official NSA document is here.
Security resources
Screen Savers For Security Professionals
- (New)
Microsoft has released screen saver that will remind you of
The Ten Immutable Laws of Security
and The Ten Immutable Laws of Security
Administration.
Laws of Security Administration
"The most important tool here isn't a software tool – it's procedures."
A direct quote from this article and worth the read alone. This is good article on
security fundamentals that can apply to SQL Server.
Security Vulnerability
At least according to Microsoft. This is worth a read to understand why and how patches
are created and the madness behind the methodology for when they are released.
Data Availability for End Systems
White paper discussing data security. This is more of a system administrator's view from the
Windows 2000 security standpoint, but a good read for DBAs to understand some of the vulnerabilities
that are out there and where security can be comprimised. It's easy to get paranoid when reading something
like this, so don't go out there and start quizzing your sysops, but you might check and see how many of these
things are implemented at your site.
Server 2000 Security
White paper for system administrators outlining new security features in SQL 2000.
A good source for security bulletins and patches that Microsoft has released.
Tour of the Microsoft Security Response Center
A tour as Microsoft attempts to address the security concerns. IMHO a nice step forward
in providing Enterprise level products.
An independent source for tracking bugs in NT/2000 software. Maintains a mailing list
as well as links to a variety of patches and commentary on bugs.
Carnegie Mellon University's Computer Emergency Response Team. This is the organization
that should be informed of all attacks. They provide a clearinghouse for information
related to security. Unfortunately this has not been used as much as it could.
Another security organization that I belong to and receive alerts from. They have some good
resources for securing your systems.