Close to half of on-prem databases contain vulnerabilities, with many critical flaws

The Microsoft Exchange attack wave revealed the risks, but patching isn't always straightforward.

A five-year study has concluded with a sobering fact for businesses using on-premise servers: close to half contain vulnerabilities that may be ripe for exploitation. 

Imperva released the results of the study on Tuesday, which analyzed roughly 27,000 databases and their security posture. In total, 46% of on-premises databases worldwide, accounted for in the scan, contained known vulnerabilities. 

On average, each database contained 26 security flaws, with 56% ranked as a "high" or "critical" severity bug -- including code execution vulnerabilities that can be used to hijack an entire database and the information contained within. 

All it may take, in some cases, is a scan on Shodan to find a target and executing a malicious payload. 

"This indicates that many organizations are not prioritizing the security of their data and neglecting routine patching exercises," Imperva says. "Based on Imperva scans, some CVEs have gone unaddressed for three or more years."

France was the worst offender for unprotected databases, with 84% of those scanned containing at least one vulnerability -- and the average number of bugs per database was 72. 

Australia followed with 65% (20 vulnerabilities on average), and then Singapore (64%, 62 security flaws per database), the United Kingdom (61%, 37 bugs on average), and China (52%, 74 security issues per database). In total, 37% of databases in the United States contained at least one known vulnerability, and these databases contained an average of 25 bugs. 

The Microsoft Exchange Server hack has highlighted the ramifications of poor security for on-prem servers as well as their owners. In March, Microsoft released emergency patches to resolve four zero-days -- known collectively as ProxyLogon - but once exploit code was developed and released, thousands of businesses were compromised. 

In other recent database security news, a critical vulnerability impacting Cosmos DB became public in August. The bug, described as "trivial" to exploit by cloud security firm WIZ, gives "any Azure user full admin access (read, write, delete) to another customer's Cosmos DB instances without authorization."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0