Behold! There’s a scary monster called skip‑2.0, announced by ESET:
This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported. To the best of our knowledge, skip-2.0 is the first MSSQL Server backdoor to be documented publicly.
How scary! An almost undetectable backdoor into SQL Server 2012 (11.0) and 2014 (12.0), but not SQL Server 2005, 2008, 2008 R2, 2016, or 2017. Of course there’s cause for concern when we hear about problems like this, but it’s also good to read carefully. Beware of FUD (Fear, Uncertainty and Doubt) headlines. There’s nothing to see here, folks. Denny Cherry has very succinctly explained why this isn’t a SQL Server problem:
Because they aren’t exploiting a bug in SQL Server to make this happen.
That’s the gist of it. One of my favourite bloggers is Raymond Chen, a longtime Microsoft employee (and one of the people to thank whenever you run old applications on Windows and find they still work). He and other colleagues are fond of the phrase:
It rather involved being on the other side of this airtight hatchway
Here’s a classic post by Raymond where he discusses why a code injection bug isn’t a security risk:
Code injection doesn’t become a security hole until you have elevation of privilege. In other words, if attackers gains the ability to do something they normally wouldn’t.
This alleged back door into SQL Server — known as skip-2.0 — requires administrative privileges on the server where SQL Server is running. As any information security professional will tell you, as soon as you get administrative access to a computer, you can do anything you want to it. You “own the box.” skip-2.0 does not perform a privilege escalation attack. It’s effectively the same thing as logging into SQL Server with the sysadmin account and running queries.
While I’m known to be snarky from time to time, security is an important topic to me, and this incident serves as a reminder that it only takes one person to compromise an organisation’s infrastructure. On a private mailing list discussing this subject, one of the MVPs made it clear that multi-factor authentication (MFA) is critical for all public-facing IT assets, especially for VPNs, email, Remote Desktop, and even social media.
If you are responsible for any IT infrastructure, even if it’s your own laptop, you are also responsible for the data it holds, and you are obliged to protect it using reasonable means. Encrypt the hard drive. Use a password manager. Get an app on your phone that does one-time passwords (OTP) for MFA. Rotate your password manager vault’s main password every six months, or even once a year when you rotate SSL/TLS certificates. You won’t regret it.
Share your thoughts in the comments below.