There was a vulnerability announced last week in SQL Server that administrators could potentially view all users' passwords in memory. Apparently these are stored in clear text in memory, and the company that discovered this, Sentrigo, also has a tool that "erases" them for you. Their Passwordizer is free and is supposed to remove the passwords from memory. I'm not sure about you, but I'm a little concerned about having any application mess with memory inside SQL Server.
Is that a big deal? After all a few people pointed out administrators could reset passwords. However that's not the same thing. It's one thing for an administrator to make a change on SQL Server, but quite another thing for them to do it "as" another person and make it appear that other person made the change. That could be a major issue. What if a DBA impersonated the CFO to approve a purchase order?
I don't really think that this vulnerability is a problem, at least not more of a problem than it was two weeks ago when it hadn't been disclosed. As it is, there are numerous tools that can crack a password hash as stored in SQL Server, and if you are an administrator, you can easily get the hashes. After all, if you know you are on a SQL Server, you know that these are stored in master. There is also the potential for a system administrator to use the EXECUTE AS command to impersonate another server.
Is it any harder to get hashes than get the clear text from memory? I don't know, but I'd wager that if you are smart enough to get them from memory, you can get them from the system views.
To me this seems to be a bit of an announcement to get some press for Sentrigo. They have other security products, and if they can detect vulnerabilities in SQL Server, they should be able to help you protect and audit your instance, right? Probably they can, but this vulnerability isn't a big deal.
Let me know if you disagree, or if you think there is something more here. Lots of SQL Server administrators would like to know if I am wrong about this.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.
You can also follow Steve Jones on Twitter:
Overall RSS Feed:
or now on iTunes!
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.
