SQLServerCentral Article

Security Alerts and Information

,

SQL Server Security Alerts and Information

Every piece of software has security issues and SQL Server is no exception.

Because this is server product and many DBAs do not manage the external security

for their systems, I often find unpatched servers with vulernabilities. Now there are

not too many alerts for SQL Server, but there are a few. Below are links to patches as

well as other resources for keeping informed.

I will continue to update this area as new alerts are released. Please check back

periodically for updates. I will also be adding some articles on SQL Security and

best practices that should be followed.

Security Alerts


New Security Alert (Released 6-12-01):
SQL Query Method Enables Cached Administrator Connection to be Reused

A new alert was released on June 12, 2001 that affects SQL Server 7 and SQL Server 2000

Technical description:
When a client connection to a SQL Server is

terminated, it remains cached for a short period of time for performance

reasons. One SQL query method contains a flaw that has the effect of making it

possible for one user’s query to reuse a cached connection that belonged to the

sa account.

Exploiting this vulnerability would enable an attacker to execute the query

using the administrator’s security context. This would give her the ability to

take any desired action on the database; moreover, it would give her the ability

to run extended stored procedures, thereby giving her the opportunity to run

code of her choice and assume de facto control of the server itself.


http://www.microsoft.com/technet/security/bulletin/MS01-018.asp

Visual Studio VB T-SQL Object Contains Unchecked Buffer.

If you develop applications or install applications developed in VB, this is a possible

security risk. Your developers may want to apply this patch, though I am not sure how

much of a risk this is.


http://www.sans.org/newlook/alerts/NTE-bank.htm

If you use NT in an e-commerce environment read this!

one.

The SANS Insitute released this notice after being informed of attacks by the FBI. Eastern Europe

hackers appear to be targeting NT e-commerce sites for extortion. You can get the tool to scan your

systems from The Center for Internet Security

here.


http://www.microsoft.com/technet/security/bulletin/MS01-013.asp

A critical alert for all Windows 2000 Servers. Let your system admins know about this

one.


Service Pack 3 for SQL Server v7.0

Service pack 3 is available for SQL Server 7.0 and fixes a number of bugs and security holes.

The fix list is at Q274797 and

includes the version numbers for all service packs.


Patch Available for

Extended Stored Procedure Parameter Parsing Vulnerability (December 2000)

A patch was posted December 1, 2000 for a vulnerability in extended stored procedures. A malicious user

could cause a buffer overrun to occur with a sufficiently long parameter. While not a likely risk for most

installations, you should read this to see if you are affected. SQL 7, MSDE, and SQL 2000 are affected.


Patch Available for

DTS Password Vulnerability

There is a bug in v7.0 that would allow a user to view the passwords that

are stored in DTS packages. The patch disallows non-sa or non-creators to access

these passwords.


Patch Available for

Stored Procedure Permissions Vulnerability

A user without EXECUTE permissions could possible execute a stored procedure if

certain conditions exist in your server. This is NOT patched in SP2.


Service Pack 2

While you should definitely test them, Service Packs are a must install. They contain

many fixes and once you have tested them, you should definitely install them on your server.


C2 Security

Microsoft SQL Server 2000 has received the C2 security rating from the National Security Administration (NSA) which was

one of the goals that the SQL Server development team mentioned at TechEd 2000. One of the main items that allowed

this goal to be met was the enhanced Profiler auditing of the events that occur inside SQL Server.

Microsoft has published documents that describes the C2 setup of SQL Server. There are a couple of

important caveats to be aware of for securing SQL Server at the C2 level.

  • NT 4.0 is required as the OS and it must be secured as a C2 system.
  • NT authentication is required. SQL Seucrity is not supported, therefore you cannot really secure the

    server in many installations.

  • Only transactional replication is supported.
  • The following are not included in the evaluation: SQL Mail, Full Text Search, English Query,

    DTC, Meta Data Services, and Analysis Services. The SQL Mail along is a reason many sites (mine included)

    would not even try to implement this level of security.

I am not sure who really needs C2 (outside of the military) and it appears to require only the base RDBMS engine

and a bunch of management effort. While probably worth it in some instances, I would not recommend anyone

implement this as a marketing move. Unless you truly want to be a full time administrator.

The official NSA document is here.


Security resources

Screen Savers For Security Professionals

- (New)

Microsoft has released screen saver that will remind you of

The Ten Immutable Laws of Security

and The Ten Immutable Laws of Security

Administration.

The Ten Immutable

Laws of Security Administration

"The most important tool here isn't a software tool – it's procedures."

A direct quote from this article and worth the read alone. This is good article on

security fundamentals that can apply to SQL Server.

The Definition Of A

Security Vulnerability

At least according to Microsoft. This is worth a read to understand why and how patches

are created and the madness behind the methodology for when they are released.

Data Security and

Data Availability for End Systems

White paper discussing data security. This is more of a system administrator's view from the

Windows 2000 security standpoint, but a good read for DBAs to understand some of the vulnerabilities

that are out there and where security can be comprimised. It's easy to get paranoid when reading something

like this, so don't go out there and start quizzing your sysops, but you might check and see how many of these

things are implemented at your site.

Microsoft SQL

Server 2000 Security

White paper for system administrators outlining new security features in SQL 2000.

Microsoft Security

A good source for security bulletins and patches that Microsoft has released.

Tour of the Microsoft Security Response Center

A tour as Microsoft attempts to address the security concerns. IMHO a nice step forward

in providing Enterprise level products.

NT BugTraq

An independent source for tracking bugs in NT/2000 software. Maintains a mailing list

as well as links to a variety of patches and commentary on bugs.

CERT

Carnegie Mellon University's Computer Emergency Response Team. This is the organization

that should be informed of all attacks. They provide a clearinghouse for information

related to security. Unfortunately this has not been used as much as it could.

SANS

Another security organization that I belong to and receive alerts from. They have some good

resources for securing your systems.

Return to Steve Jones Home

 

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating