Unauthenticated access and UDP Amplification attack vulnerability in open MSSQL

Abstract:

The vulnerability of open/misconfigured MSSQL Server on port 1433/TCP in the network device(s) is subjected to be compromised by the hackers. An unauthenticated, remote attacker can run commands on the database server. Confidentiality, Integrity, and Availability of the data can be compromised by the attacker that can cause a significant loss in terms of revenue, data, and reputation.

Technical Description:

MSSQL listens on 2 ports, port TCP 1433 and UDP port 1434, server instances get a random TCP port and this port can be obtained through the UDP port 1434. The attacker targets the MS-SQL servers exposed to the internet with brute force login attempts to breach victim machines. Once an attacker gains access to the victims’ server, they can perform a series of configuration changes to the database to allow for future command execution.

Vulnerability Assessment:

In order to validate the presence of Microsoft SQL Server instances on a target device, it is advised to execute the command mentioned below:

Command:

If you would like to test your own device to see if it has the MS-SQL Server Resolution Service accessible, try the command from external network:

• netcat -u <IP address> 1434 ; Then, enter the control character ^B [CTRL-b].

If the MS-SQL Server Resolution Service is accessible, information of SQL server is returned, including the NetBIOS name of the server.

Other command:

• nmap -p 1433 --script ms-sql-info --script-args mssql.instance-port=1433 <host>

Countermeasures and Best practices for prevention:

• Update the MSSQL service to the latest Service Packs and Patches.
• SQL Server should be hardened after the installation. The following steps may be taken:
• After the installation, use the SQL Server Configuration Manager tool in order to disable unnecessary features and services
• Appropriate firewall rules should be implemented to restrict remote access to only trusted sources or blocked entirely and administration only done locally. TCP ports 1433 should be filtered.
• Windows Authentication mode is more secure than SQL Authentication.
• If there is still a need to use SQL Authentication – enforce strong password policy
• Disable the SA account and rename it. Do not use this account for SQL server management
• Change the default SQL Server ports associated with the SQL Server installation to keep hackers from port scanning the server.
• Hide SQL Server instances or disable the SQL Server Browser service.
• Remove BUILT-IN\Administrators group from the SQL Server Logins.
• Enable failed & successful logging for SQL Server login attempts.
• Secure the database server behind a firewall and use IDS to detect any intrusion attempts.
• The database server process should run as a user with minimum privileges and never as administrator.
• Enforce a strict access control policy.
• Enforce secure coding practices for application developers.
• Audit trail logs on the database servers should be enabled.
• The database server should not be assigned publicly accessible IP, and access to the database should be allowed only from the Web Server on a particular port only

Solution:

Best security practices available at:

• https://docs.microsoft.com/en-us/system-center/scom/plan-sqlserver-design?view=sc-om-2019

References:

• https://docs.microsoft.com/en-us/sql/relational-databases/security/securing-sql-server?view=sql-server-2017
• https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/database-hardening-best-practices
• https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_11_0_1/Configuration/Guide/UCCE_BK_SFE05DDE_00_security-best-practices-guide-ucce/UCCE_BK_SFE05DDE_00_security-best-practices-guide-ucce_chapter_0110.pdf
• https://docs.microsoft.com/en-us/system-center/scom/plan-sqlserver-design?view=sc-om-2019