MS SQL Server Default Password
Created 5/23/02
CAN 2000-1209
Impact
A remote attacker could execute arbitrary commands on the
server.
Background
Microsoft SQL Server
is a complete web-enabled database package.
The Problems
A service account called "sa" is created when the SQL Server
is installed. By default, this account has no password. If left
unchanged, this account could be used by a remote attacker
to execute arbitrary commands on the operating system using
the xp_cmdshell SQL function.
This vulnerability is actively exploited by the Spida
worm. The worm exploits blank passwords on "sa" accounts to
infect systems, then sends sensitive information including
passwords and database information to an external site.
Finally, it scans for other vulnerable Microsoft SQL Servers.
Resolution
Set a password for the "sa" account in Microsoft SQL Server.
A non-guessable password which is at least eight characters long and
composed of letters, digits, and non-alphanumeric characters
is recommended.
Where can I read more about this?
For more information on this vulnerability, see
CERT
Vulnerability Note #635463.
For more information on securing Microsoft SQL Server, see the SQL Server
security
page.
For more information on the Spida worm, see the
ISS Alert.