Database: 10 Database Security Threats Every IT Administrator Should Know

 
 
By Brian Prince  |  Posted 2010-06-22
 
 
 

10 Database Security Threats Every IT Administrator Should Know

by Brian Prince

10 Database Security Threats Every IT Administrator Should Know

Default, Blank & Weak Username&47;Password

Microsoft SQL Server Blank & Default PasswordDefault Oracle Username and PasswordIBM DB2 Default Admin Password

Default, Blank & Weak Username&47;Password

SQL Injections

SQL Injection Vulnerability in Oracle Database "SYS.DBMS_AQIN"SQL injection vuln in Oracle 10gR1 database using SYS.DBMS_STREAMS_AUTHSQL Injection in Oracle with ".ALTER_AUTOLOG_CHANGE_SOURCE" function

SQL Injections

Extensive User & Group Privilege

BUILTINAdministrator member of SYSADMIN fixed server role in MS SQLServerPrivileged Role Assignment in MS SQLServerOracle Account Root Privilege Escalation

Extensive User & Group Privilege

Unnecessary Enabled Database Features

Microsoft SQL Server Permission Granted on xp_cmdshellMicrosoft SQL Server xp_cmdshell Not Removed or Not DisabledMicrosoft SQL Server OLEDB Ad Hoc Query Allowed

Unnecessary Enabled Database Features

Broken Configuration Management

Sybase current audit tableOracle Configuration Manager Installed on a production systemMicrosoft SQL Server PPS configuration

Broken Configuration Management

Buffer Overflows

SYS.OLAPIMPL_T.ODCITABLESTART Buffer Overflow in Oracle 9iR1 and 9iR2EXECUTE privilege on DBMS_AQELM can lead to Buffer Overflow in Oracle DBIBM Lotus Domino IMAP Cram-MD5 Buffer Overflow

Buffer Overflows

Privilege Escalation

SQL Injection in Oracle DBMS_AQIN allows users to escalate privilegeSQL Injection in Oracle AQADM_SYS allows users to escalate privilegeMySQL Privilege Escalation through RENAME statement

Privilege Escalation

Denial of Service Attacks

Oracle Denial of service DoS in SYS.KUPF$FILE_INTMySQL Hello packet Denial of Service DoSMySQL authenticated user Denial of Service DoS via federated engine

Denial of Service Attacks

Unpatched Databases

Oracle Critical Patch Update CPULatest Sybase patch not appliedMS SQL Server service pack and hot fix

Unpatched Databases

Unencrypted Sensitive Data - at Rest and in Motion

Oracle Network Encryption RequiredDomino Server Full Text Indexed Field In Encrypted DatabaseUnencrypted listener password in Oracle

Unencrypted Sensitive Data - at Rest and in Motion

Rocket Fuel