SQL4-00-022500 - SQL Server must check the validity of all data inputs except those specifically identified by the organization.

Information

Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.

SQL Server needs to validate the data user's attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands.

A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints.

This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Use triggers, constraints, foreign keys, etc. to validate data input.

Modify SQL Server to properly use the correct column data types as required in the database.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2014_Y22M10_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001310, Rule-ID|SV-81881r2_rule, STIG-ID|SQL4-00-022500, Vuln-ID|V-67391

Plugin: MS_SQLDB

Control ID: 6deefe08019b59ad6639503c13787cc49393c2691d4e64476568c4fe143f1519