C2.1 Description

Databases are a key element of many systems storing, searching or manipulating large amounts of data. They are found in virtually all businesses, financial, banking, customer relationship and system monitoring applications.

Due to the valuable information they store such as personal or financial details, databases are often a target of attack and are of particular interest to identity thieves. Database systems are often very complex, combining the core database with a collection of applications; some supplied by the database vendor, others written in house (such as web applications). A flaw in any of these components can compromise the stored data. The most common vulnerabilities in database systems can be classified as:

• Use of default configurations with default user names and passwords.


• Buffer overflows in processes that listen on well known TCP/UDP ports.


• SQL Injection via the database's own tools or web front-ends added by users.


• Use of weak passwords for privileged accounts

There are many different database systems available. Some of the most common are Microsoft SQL Server (proprietary, runs on Windows), Oracle (proprietary, runs on many platforms), IBM DB2 and IBM Informix (both proprietary, run on multiple platforms), Sybase (proprietary, runs on many platforms), MySQL and PostgreSQL (both open source and available on many platforms).

All modern relational database systems are port addressable, which means that anyone with readily available query tools can attempt to connect directly to the database, bypassing security mechanisms used by the operating system. The commonly used default connections are: Microsoft SQL via TCP port 1433 and UDP port 1434, Oracle via TCP port 1521, IBM DB2 via ports 523 and 50000 up, IBM Informix via TCP ports 9088 and 9099, MySQL via TCP port 3306, and PostgreSQL via TCP port 5432.

Proof of concept exploits for many database flaws are readily available on the Internet. Due to the network connections they provide, databases may suffer from worms. The most infamous of these was the SQL Slammer worm in 2003. 2005 saw the appearance of the first Oracle worm: "Voyager" . Whilst this did not carry a damaging payload, it demonstrated what could be done if an Oracle database is not protected.

In addition to addressing the specific vulnerabilities mentioned here, administrators concerned with database security should consider:

• The impact of standards such as the Payment Card Industry Data Security Standard that may require encryption of some information such as credit card numbers.


• The risks of transferring large quantities of data onto mobile devices: in the last year there have been numerous reports of personal data being lost through the theft of laptops.

C2.2 Operating Systems Affected

Most database systems, commercial and open source, run on multiple platforms. Issues regularly cover all supported platforms.