Microsoft MSDE/SQL Server 2000 Desktop Engine Default Configuration Vulnerability

It has been reported Microsoft MSDE and SQL Server 2000 Desktop Engine are configured by default with a null administrative password by default. Remote attackers may exploit this flaw to gain administrative access to the database if the password has not been manually changed.

Compaq Insight Manager XE versions 1.1 and later include the capability to use MSDE. MSDE is not installed as part of Compaq Insight Manager by default. When MSDE is installed via Compaq Insight Manager, it is recommended during that install that users change the 'sa' administrative password. Installs via Compaq Management CD or Insight Manager 7 softpaqs include no such recommendation.

It should be noted that a worm is currently propagating due to default null passwords in Microsoft SQL server and derived products such as MSDE and SQL Server 2000 Desktop Engine.


Privacy Statement
Copyright 2010, SecurityFocus