Blank sa password on Microsoft SQL Server
| mssql-no-sapassword (1459) |  High Risk |
Description:
Microsoft SQL Server provides weaker than expected security. The default installation of Microsoft SQL Server includes no password with the sa account. If the sa account is left without password protection, any user can act as administrator on the SQL server. An authorized user who has gained access to the sa account can also gain access to admin privileges on the Windows NT Server by using commands, such as "xp_cmdshell".
This vulnerability is exploited by the Cblade worm and the SQL Spida worm. See References for more information.
Consequences:
Gain Access
Remedy:
Establish a password for the sa login that is difficult to guess. The password can be changed using the stored procedure "sp_password".
References:
- BugTraq Mailing List, 2000-07-10 20:07:53: MSDE / Re: Default Password Database.
- BugTraq Mailing List, Tue Aug 15 2000 - 05:37:36 BST: MS-SQL 'sa' user exploit code.
- IBM Internet Security Systems X-Force Database: Cblade worm.
- IBM Internet Security Systems X-Force Database: SQL Spida Worm Propagation.
- Internet Security Systems Security Alert #118: Microsoft SQL Spida Worm Propagation.
- Microsoft Knowledge Base Article 274773: FIX: If You Change Windows Security to Windows/SQL Security the SA Password is Blank.
- Microsoft Knowledge Base Article 313418: PRB: Unsecured SQL Server with Blank (NULL) SA Password Leaves Vulnerability to a Worm.
- SecuriTeam Mailing List, Windows NT focus 21 Aug 2000: Microsoft releases safeguard guide for the MS SQL blank 'sa' vulnerability.
- BID-4797: Microsoft MSDE/SQL Server 2000 Desktop Engine Default Configuration Vulnerability
- CVE-2000-1209: The sa account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.
- OSVDB ID: 3570: Compaq Insight Manager Default Password
- US-CERT VU#635463: Microsoft SQL Server and Microsoft Data Engine (MSDE) ship with a null default password
Platforms Affected:
- Microsoft SQL Server
- Microsoft Windows 2000
- Microsoft Windows 2003 Server
- Microsoft Windows NT 4.0
- Microsoft Windows XP
Reported:
Dec 18, 1998
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this