__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Cumulative Patch for SQL Server [Microsoft Security Bulletin MS02-034] July 11, 2002 21:00 GMT Number M-099 ______________________________________________________________________________ PROBLEM: There are three new vulnerabilities in Microsoft SQL Server: * Unchecked Buffer in Password Encryption Procedure * Unchecked Buffer in Bulk Insert Procedure * Incorrect Permission on SQL Server Service Account Registry Key SOFTWARE: Microsoft SQL Server 2000 all editions Microsoft SQL Server Desktop Engine (MSDE) 2000 DAMAGE: A description of each vulnerability, if exploitable, is provided within Microsoft's Security bulletin. SOLUTION: Apply patch for appropriate SQL Server version as prescribed by Microsoft. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker must have access to a local ASSESSMENT: system to exploit these vulnerabilities. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-099.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/bulletin/ MS02-034.asp PATCHES: http://support.microsoft.com/support/misc/ kblookup.asp?id=Q316333 ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-034 *****] Microsoft Security Bulletin MS02-034 Cumulative Patch for SQL Server (Q316333) Originally posted: July 10, 2002 Summary Who should read this bulletin: Database administrators using Microsoft® SQL Server™ or Microsoft SQL Server Desktop Engine (MSDE) 2000. Impact of vulnerability: Three new vulnerabilities, the most serious of which could run code of attacker’s choice on server. Maximum Severity Rating: Moderate Recommendation: Apply the patch immediately to affected systems. Affected Software: Microsoft SQL Server 2000 all editions. Microsoft SQL Server Desktop Engine (MSDE) 2000. Technical details Technical description: This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 2000. In addition, it eliminates three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or MSDE): * A buffer overrun vulnerability in a procedure used to encrypt SQL Server credential information. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself depending on the account SQL Server runs as. * A buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself. * A privilege elevation vulnerability that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. An attacker who was able to successfully exploit this vulnerability could gain greater privileges on the system than had been granted by the system administrator -- potentially even the same rights as the operating system. Mitigating factors: Unchecked Buffer in Password Encryption Procedure: * The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the default was chosen, it would minimize the amount of damage an attacker could achieve. * The vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing. Unchecked Buffer in Bulk Insert Procedure: * An attacker would need to already possess significant rights on the server in order to exploit the vulnerability, as only Bulk Admins and full administrators have the ability to load and run queries that invoke the vulnerable procedure. * The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, it runs in the context of a domain user; if chosen, this would minimize the amount of damage an attacker could achieve. * Best practices could help minimize the vulnerability. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing. Incorrect Permission on SQL Server Service Account Registry Key: * Successfully exploiting this vulnerability would require the ability to load and run queries on the system. By following best practices and limiting this ability to administrators, users can mitigate the threat posed by this vulnerability. * Successfully exploiting this vulnerability would also require a sysadmin or someone that has been granted xp_regwrite execute permissions. Severity Rating: Unchecked Buffer in Password Encryption Procedure Internet Servers Intranet Servers Client Systems SQL Server 2000 (Including MSDE 2000) Moderate Moderate Moderate Unchecked Buffer in Bulk Insert Procedure Internet Servers Intranet Servers Client Systems SQL Server 2000 (Including MSDE 2000) Moderate Moderate Moderate Incorrect Permission on SQL Server Service Account Registry Key Internet Servers Intranet Servers Client Systems SQL Server 2000 (Including MSDE 2000) Moderate Moderate Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. In the case of the Unchecked Buffer in Bulk Insert Procedure, the vulnerability could only enable members of the Bulk Admin group to run code in an elevated security context. The incorrect permission on SQL Server Service Account Registry Key vulnerability would require that the attacker have the ability to load and run queries in order to exploit it. Vulnerability identifier: * Unchecked Buffer in Password Encryption Procedure: CVE-CAN-2002-0624 * Unchecked Buffer in Bulk Insert Procedure: CVE-CAN-2002-0641 * Incorrect Permission on SQL Server Service Account Registry Key: CVE-CAN-2002-0642 Tested Versions: Microsoft tested SQL Server 7.0 and SQL Server 2000 to assess whether they are affected by this vulnerability. SQL Server 7 is not affected by any of the vulnerabilities. Previous versions are no longer supported and may or may not be affected by this vulnerability. Patch availability Download locations for this patch * Microsoft SQL Server 2000: http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 Additional information about this patch Installation platforms: The SQL Server 2000 patch can be installed on systems running SQL Server 2000 Service Pack 2. Inclusion in future service packs: The fixes for these issues will be included in SQL Server 2000 Service Pack 3. Reboot needed: No. The SQL Server service only needs to be restarted after applying the patch. Superseded patches: This pach supercedes the one provided in Microsoft Security Bulletin MS02-020, which was itself a cumulative patch. Verifying patch installation: SQL Server 2000 * To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article at http://support.microsoft.com/support/misc/kblookup.asp?id= Q316333 Caveats: This package doesn’t contain the Microsoft Data Access Component or the Analysis Services security fixes. Localization: Packages for each supported SQL Server language is being made available. A localized Readme.txt file is included in each package for installation instructions. Obtaining other security patches: As previously mentioned, these vulnerabilities do not exist on SQL Server 7.0. If you are still running SQL Server, ensure you are running SQL Server 7.0 Service Pack 4 where the other security vulnerabilities were addressed. If you are running Service Pack 3 for SQL Server 7.0, you should upgrade to Service Pack 4 or apply the Service Pack 3 update at http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268 Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site * All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Cesar Cerrudo and David Litchfield of Next Generation Security Software Ltd. for reporting the Unchecked Buffer in Bulk Update Procedure to us and working with us to protect customers. Support: * Microsoft Knowledge Base article Q316333 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 July 10, 2002 Bulletin Created. [***** End Microsoft Security Bulletin MS02-034 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability M-092: Cisco Buffer Overflow in UNIX VPN Client M-093: Apache HTTP Server Chunk Encoding Vulnerability M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow M-095: OpenSSH Challenge Response Vulnerabilities M-096: Microsoft Windows Media Player Vulnerabilities M-097: Cisco ACS Acme.server traversal Vulnerability M-098: PGP Outlook Encryption Plug-in Vulnerability