|
2113022 : SQL Slammer worm propagation |
|
High RiskQuick Links
- Event Description
- Products that have this security check
- Affected platforms
- How to remove this vulnerability
- References
- Information about this document
Event description
The SQL Slammer worm, also known as W32/SQLSlam-A, Sapphire, New SQL, Worm.SQL, and Helkern, propagates by exploiting a buffer overflow vulnerability in the Resolution Service in Microsoft SQL Server 2000 or Microsoft Desktop Engine (MSDE) 2000 installations. The main function of the Slammer worm is to continue propagation. No Distributed Denial of Service (DDoS) or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm loads Kernel32.dll and WS2_32.dll and then calls GetTickCount, which is used as a seed for a random IP address routine. This routine then continuously sends 376 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. The Slammer worm does not prefer to scan local subnet addresses like the Nimda worm. This will limit the speed of propagation across local networks, but this scanning method generates large amounts of traffic that can overwhelm networks.
The Slammer worm seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory. For more information refer to Internet Security Systems Security Alert, January 25, 2003. See References.
Note: The Slammer worm may also affect Cisco CallManager version 3.3(x), Cisco Unity versions 3.x and 4.x, and Cisco Building Broadband Service Manager versions 5.0 and 5.1, which incorporate the use of either SQL Server 2000 or MSDE 2000.
Products that have this security check
- BlackICE Agent for Server
- BlackICE PC Protection
- BlackICE Server Protection
- Proventia Desktop
- Proventia Network IDS
- Proventia Network IPS
- Proventia Network MFS
- Proventia Server IPS for Linux technology
- Proventia Server IPS for Microsoft Windows technology
- RealSecure Desktop
- RealSecure Desktop Protector 3.6
- RealSecure Network
- RealSecure Server Sensor
| SQL_SSRP_Slammer_Worm | |
This event looks for an overflow in a UDP packet with a destination port 1434 and the SQL Slammer Worm return address. The 'pam.udp.slammer.drop'(true) tuning parameter drops the packet without further processing. |
Affected platforms
- Cisco Building Broadband Service Manager 5.0Cisco Building Broadband Service Manager 5.1Cisco Unified CallManager 3.3Cisco Unity Server 3.0Cisco Unity Server 4.0Microsoft Data Engine 2000Microsoft SQL Server 2000Microsoft Windows 2000Microsoft Windows NT 4.0VERITAS Backup Exec 9.0VERITAS ExecView 3.1
How to remove this vulnerability
Administrators should apply the latest cumulative SQL Server patch, as listed in Microsoft Security Bulletin MS03-031, and restart the system in order to protect against further infection. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS02-061, but it was superseded by the patch released with MS03-031.
As a workaround, administrators should block UDP port 1433 and UDP port 1434 traffic to protect SQL Server databases with a firewall or packet filter.
For Cisco CallManager, Cisco Unity, and Cisco Building Broadband Service Manager: Refer to Cisco Security Advisory 2003 January 26 05:30 GMT for upgrade or patch information. See References.
References
Internet Security Systems Security Alert, January 25, 2003
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21824
Microsoft Security Bulletin MS03-031
Cumulative Patch for Microsoft SQL Server (815495)
http://www.microsoft.com/technet/security/bulletin/ms03-031.mspx
National Infrastructure Protection Center (NIPC) Alert Advisory 03-001.1
"Worm Targets SQL Vulnerability"
http://www.nipc.gov/warnings/advisories/2003/03-001.1updates.htm
SQLSecurity.com Web site
SQL Server/MSDE-Based Applications
http://www.sqlsecurity.com/FAQs/SQLServerMSDEBasedApplications/tabid/62/Default.aspx
VERITAS TechNote 254244
W32.SQLExp.Worm "SQL Slammer" (discovered 1/24/2003) causes MSDE components included with Backup Exec 9.0 and ExecView 3.1 to flood the network, and SQLSERVR.EXE may exhibit high CPU utilization
http://seer.support.veritas.com/docs/254244.htm
NGSSoftware Insight Security Research Advisory #NISR25072002
Unauthenticated Remote Compromise in MS SQL Server 2000
http://www.nextgenss.com/advisories/mssql-udp.txt
cisco-sa-20030126-ms02-061
Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061
http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml
Microsoft Security Bulletin MS02-061
Elevation of Privilege in SQL Server Web Tasks (Q316333)
http://www.microsoft.com/technet/security/bulletin/ms02-061.mspx
Microsoft Corporation Web site
PSS Security Response Team Alert - New Worm: W32.Slammer
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
Cisco Security Notice 2003 January 25 14:00:00 UTC
MS SQL Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml
CERT Advisory CA-2003-04
MS-SQL Server Worm
http://www.cert.org/advisories/CA-2003-04.html
IBM Internet Security Systems X-Force Database
Microsoft SQL Server Resolution Service stack buffer overflow
http://xforce.iss.net/xforce/xfdb/10031
Microsoft Security Bulletin MS02-039
Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)
http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx
eEye Digital Security Alert AL20030125
SQL Sapphire Worm Analysis
http://www.eeye.com/html/Research/Flash/AL20030125.html
BugTraq
Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability
http://www.securityfocus.com/bid/5311
Common Vulnerabilities and Exposures
Multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE) allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte that causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption, as exploited by the Slammer/Sapphire worm.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649
Information about this document
The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.
Copyright © 1997 – 2008 IBM Internet Security Systems. All rights reserved.
This page was created on Wed Nov 19 05:05:29 2008