CVE

Id
1777  
CVE No.
CVE-2000-0199  
Status
Candidate  
Description
When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password.  
Phase
Proposed (20000322)  
Votes
ACCEPT(6) Baker, Blake, Cole, Levy, Ozancin, Wall | MODIFY(1) Frech | REVIEWING(2) Christey, LeBlanc  
Comments
LeBlanc> I think this may just be user error - I"d like more information. | Frech> XF:mssql-weak-encryption | ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store | Administrative Login ID | URL:http://xforce.iss.net/alerts/advise45.php3 | Christey> According to Scott Culp, this can only be reproduced if the | SQL server is running in an unsafe mode that is not | recommended by Microsoft: "To securely use SQL Server, | Microsoft recommends using Windows Integrated Security. In | Windows Integrated Security mode passwords are never stored, | as your Windows Domain sign-on is used as the security | identifier to the database server." | | We still must consider approving this candidate, however, as a | user configuration error instead of a software flaw. | CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we | decide to include configuration problems in which a user | intentionally selects weak encryption, then we might still | approve this candidate.  

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
5553 1777 CVE-2000-0199 ISS:20000314 Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID  View
5554 1777 CVE-2000-0199 BID:1055  View

Related JVN