• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
20000322 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20000322)
Votes (Legacy)
ACCEPT(6) Baker, Blake, Cole, Levy, Ozancin, Wall
MODIFY(1) Frech
REVIEWING(2) Christey, LeBlanc
Comments (Legacy)
 LeBlanc> I think this may just be user error - I'd like more information.
 Frech> XF:mssql-weak-encryption
   ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store
   Administrative Login ID
 Christey> According to Scott Culp, this can only be reproduced if the
   SQL server is running in an unsafe mode that is not
   recommended by Microsoft: "To securely use SQL Server,
   Microsoft recommends using Windows Integrated Security. In
   Windows Integrated Security mode passwords are never stored,
   as your Windows Domain sign-on is used as the security
   identifier to the database server."
   We still must consider approving this candidate, however, as a
   user configuration error instead of a software flaw.
   CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we
   decide to include configuration problems in which a user
   intentionally selects weak encryption, then we might still
   approve this candidate.

Proposed (Legacy)
This is an entry on the CVE list, which standardizes names for security problems.