HighBlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Agent for Server, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS:
This event looks for an overflow in a UDP packet with a destination port 1434 and the SQL Slammer Worm return address. The 'pam.udp.slammer.drop'(true) tuning parameter drops the packet without further processing.
High
BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, RealSecure Network: XPU 20.10, RealSecure Network: XPU 5.9, RealSecure Server Sensor: XPU 20.11, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Network IDS: XPU 20.10, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, RealSecure Desktop: baseline
Microsoft Windows NT: 4.0, Microsoft Windows 2000, Microsoft SQL Server: 2000, Microsoft Data Engine: 2000, Cisco Unity Server: 3.0, Cisco Building Broadband Service Manager: 5.1, VERITAS ExecView: 3.1, VERITAS Backup Exec: 9.0, Cisco Unified CallManager: 3.3, Cisco Building Broadband Service Manager: 5.0, Cisco Unity Server: 4.0
Unauthorized Access Attempt
The SQL Slammer worm, also known as W32/SQLSlam-A, Sapphire, New SQL, Worm.SQL, and Helkern, propagates by exploiting a buffer overflow vulnerability in the Resolution Service in Microsoft SQL Server 2000 or Microsoft Desktop Engine (MSDE) 2000 installations. The main function of the Slammer worm is to continue propagation. No Distributed Denial of Service (DDoS) or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm loads Kernel32.dll and WS2_32.dll and then calls GetTickCount, which is used as a seed for a random IP address routine. This routine then continuously sends 376 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. The Slammer worm does not prefer to scan local subnet addresses like the Nimda worm. This will limit the speed of propagation across local networks, but this scanning method generates large amounts of traffic that can overwhelm networks.
The Slammer worm seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory. For more information refer to Internet Security Systems Security Alert, January 25, 2003. See References.
Note: The Slammer worm may also affect Cisco CallManager version 3.3(x), Cisco Unity versions 3.x and 4.x, and Cisco Building Broadband Service Manager versions 5.0 and 5.1, which incorporate the use of either SQL Server 2000 or MSDE 2000.
Administrators should apply the latest cumulative SQL Server patch, as listed in Microsoft Security Bulletin MS03-031, and restart the system in order to protect against further infection. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS02-061, but it was superseded by the patch released with MS03-031.
As a workaround, administrators should block UDP port 1433 and UDP port 1434 traffic to protect SQL Server databases with a firewall or packet filter.
For Cisco CallManager, Cisco Unity, and Cisco Building Broadband Service Manager: Refer to Cisco Security Advisory 2003 January 26 05:30 GMT for upgrade or patch information. See References.
Internet Security Systems Security Alert, January 25, 2003
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21824
eEye Digital Security Alert AL20030125
SQL Sapphire Worm Analysis
http://www.eeye.com/html/Research/Flash/AL20030125.html
Microsoft Security Bulletin MS02-039
Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)
http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx
Microsoft Corporation Web site
PSS Security Response Team Alert - New Worm: W32.Slammer
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
IBM Internet Security Systems X-Force Database
Microsoft SQL Server Resolution Service stack buffer overflow
http://xforce.iss.net/xforce/xfdb/10031
CERT Advisory CA-2003-04
MS-SQL Server Worm
http://www.cert.org/advisories/CA-2003-04.html
Cisco Security Notice 2003 January 25 14:00:00 UTC
MS SQL Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml
cisco-sa-20030126-ms02-061
Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061
http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml
NGSSoftware Insight Security Research Advisory #NISR25072002
Unauthenticated Remote Compromise in MS SQL Server 2000
http://www.nextgenss.com/advisories/mssql-udp.txt
VERITAS TechNote 254244
W32.SQLExp.Worm "SQL Slammer" (discovered 1/24/2003) causes MSDE components included with Backup Exec 9.0 and ExecView 3.1 to flood the network, and SQLSERVR.EXE may exhibit high CPU utilization
http://seer.support.veritas.com/docs/254244.htm
SQLSecurity.com Web site
SQL Server/MSDE-Based Applications
http://www.sqlsecurity.com/FAQs/SQLServerMSDEBasedApplications/tabid/62/Default.aspx
Microsoft Security Bulletin MS02-061
Elevation of Privilege in SQL Server Web Tasks (Q316333)
http://www.microsoft.com/technet/security/bulletin/ms02-061.mspx
National Infrastructure Protection Center (NIPC) Alert Advisory 03-001.1
"Worm Targets SQL Vulnerability"
http://www.nipc.gov/warnings/advisories/2003/03-001.1updates.htm
Microsoft Security Bulletin MS03-031
Cumulative Patch for Microsoft SQL Server (815495)
http://www.microsoft.com/technet/security/bulletin/ms03-031.mspx
ISS X-Force
SQL Slammer worm propagation
http://www.iss.net/security_center/static/11153.php
CVE
CVE-2002-0649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649