CVE - CVE-2000-0199

CVE-ID
CVE-2000-0199	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:1055 URL:http://www.securityfocus.com/bid/1055 ISS:20000314 Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID
Assigning CNA
MITRE Corporation
Date Record Created
20000322	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20000322)
Votes (Legacy)
ACCEPT(6) Baker, Blake, Cole, Levy, Ozancin, Wall MODIFY(1) Frech REVIEWING(2) Christey, LeBlanc
Comments (Legacy)
LeBlanc> I think this may just be user error - I'd like more information. Frech> XF:mssql-weak-encryption ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID URL:http://xforce.iss.net/alerts/advise45.php3 Christey> According to Scott Culp, this can only be reproduced if the SQL server is running in an unsafe mode that is not recommended by Microsoft: "To securely use SQL Server, Microsoft recommends using Windows Integrated Security. In Windows Integrated Security mode passwords are never stored, as your Windows Domain sign-on is used as the security identifier to the database server." We still must consider approving this candidate, however, as a user configuration error instead of a software flaw. CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we decide to include configuration problems in which a user intentionally selects weak encryption, then we might still approve this candidate.
Proposed (Legacy)
20000322
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)