Blank sa password on Microsoft SQL Server

mssql-no-sapassword (1459)

High Risk

Description:

Microsoft SQL Server provides weaker than expected security. The default installation of Microsoft SQL Server includes no password with the sa account. If the sa account is left without password protection, any user can act as administrator on the SQL server. An authorized user who has gained access to the sa account can also gain access to admin privileges on the Windows NT Server by using commands, such as "xp_cmdshell".

This vulnerability is exploited by the Cblade worm and the SQL Spida worm. See References for more information.

Platforms Affected:

• Microsoft, SQL Server
• Microsoft, Windows 2000
• Microsoft, Windows 2003 Server
• Microsoft, Windows NT 4.0
• Microsoft, Windows XP

Remedy:

Establish a password for the sa login that is difficult to guess. The password can be changed using the stored procedure "sp_password".

Consequences:

Gain Access

References:

• BugTraq Mailing List, 2000-07-10 20:07:53, MSDE / Re: Default Password Database at http://marc.theaimsgroup.com/?l=bugtraq&m=96333895000350&w=2.
• BugTraq Mailing List, Tue Aug 15 2000 - 05:37:36 BST, MS-SQL 'sa' user exploit code at http://archives.neohapsis.com/archives/bugtraq/2000-08/0171.html.
• IBM Internet Security Systems X-Force Database, Cblade worm at http://xforce.iss.net/xforce/xfdb/7610.
• IBM Internet Security Systems X-Force Database, SQL Spida Worm Propagation at http://xforce.iss.net/xforce/xfdb/9124.
• Internet Security Systems Security Alert #118, Microsoft SQL Spida Worm Propagation at http://www.iss.net/xforce/alerts/id/advise118.
• Microsoft Knowledge Base Article 274773, FIX: If You Change Windows Security to Windows/SQL Security the SA Password is Blank at http://support.microsoft.com/default.aspx?scid=kb;[LN];274773.
• Microsoft Knowledge Base Article 313418, PRB: Unsecured SQL Server with Blank (NULL) SA Password Leaves Vulnerability to a Worm at http://support.microsoft.com/default.aspx?scid=kb;[LN];313418.
• SecuriTeam Mailing List, Windows NT focus 21 Aug 2000, Microsoft releases safeguard guide for the MS SQL blank 'sa' vulnerability at http://www.securiteam.com/windowsntfocus/5EP0O0K2AS.html.
• BID-4797: Microsoft MSDE/SQL Server 2000 Desktop Engine Default Configuration Vulnerability
• CVE-2000-1209: The sa account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.
• OSVDB ID: 3570: Compaq Insight Manager Default Password
• US-CERT VU#635463: Microsoft SQL Server and Microsoft Data Engine (MSDE) ship with a null default password

Reported:

Dec 18, 1998

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page