A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.
Litchfield (right), co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses -- TCP port 1433 (SQL Server) and 1521 (Oracle) -- and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers.
"Between the two vendors, there are 492,000 database servers out there on the Internet not protected by a firewall. Whilst the number of Oracle servers has very slightly dropped since 2005 when it was estimated there were 140,000, the number of SQL Servers has risen dramatically from 210,000 in 2005," Litchfield warned.
Of the SQL Servers found, more than 80% were running SQL Server 2000 and of those, only 46% were running Service Pack 4, the most recent, and the remainder were running Service Pack 3a or less. "Indeed, 4% were found to be completely unpatched and are vulnerable to the flaw exploited by the Slammer worm as well as an authentication flaw known as the 'Hello bug'," Litchfield added.
Of the unprotected Oracle servers, Litchfield found 13 were running de-supported versions of Oracle that no longer receive patches and are known to be vulnerable to critical vulnerabilities.
"In other words those that can be exploited by an attacker without a username and password and gain full control of the target. Given that it’s not possible to tell whether an Oracle server has been patched or not by looking at its version number it's difficult to draw accurate conclusions about the state of vulnerability with regards to the other servers," he added.
"These findings represent a significant risk: whilst it’s not possible to say how many of these systems are engaged in a commercial function, with just under half a million servers accessible there is clearly potential for external hackers and criminals to gain access to these systems and to sensitive information," he warned.