__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft SQL Server 2000 Resolution Service Buffer Overflow Vulnerabilities [Microsoft Security Bulletin MS02-039] July 26, 2002 15:00 GMT Number M-102 ______________________________________________________________________________ PROBLEM: A buffer overflow vulnerability in the Resolution Service of MS SQL Server 2000 could allow portions of the system memory to be overwritten. PLATFORM: MS SQL Server 2000 DAMAGE: An attacker could overflow the buffer with carefully selected data and run code in the security context of the SQL Server service. An easier attack would create a denial of service. SOLUTION: Apply the patch as directed by the advisory. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Exploiting the vulnerability would grant ASSESSMENT: an attacker full control over the database, not necessarily full control of the system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-102.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/bulletin/ MS02-039.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-039 *****] Microsoft Security Bulletin MS02-039 Originally posted: July 24, 2002 Summary Who should read this bulletin: System administrators using Microsoft(r) SQL Server(tm) 2000 and Microsoft Desktop Engine 2000. Impact of vulnerability: Three vulnerabilities, the most serious of which could enable an attacker to gain control over an affected server. Maximum Severity Rating: Critical Recommendation: System administrators should install the patch immediately. Affected Software: Microsoft SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000 Technical details Technical description: SQL Server 2000 and MSDE 2000 introduce the ability to host multiple instances of SQL Server on a single physical machine. Each instance operates for all intents and purposes as though it was a separate server. However, the multiple instances cannot all use the standard SQL Server session port (TCP 1433). While the default instance listens on TCP port 1433, named instances listen on any port assigned to them. The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance. There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service. The third vulnerability is a denial of service vulnerability. SQL uses a keep-alive mechanism to distinguish between active and passive instances. It is possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges. This would consume resources on both systems, slowing performance considerably. Mitigating factors: Buffer Overruns in SQL Server Resolution Service: SQL Server 2000 runs in a security context chosen by the administrator at installation time. By default, it runs as a Domain User. Thus, although the attacker's code could take any desired action on the database, it would not necessarily have significant privileges at the operating system level if best practices have been followed. The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall. Denial of Service via SQL Server Resolution Service: An attack could be broken off by restarting the SQL Server 2000 service on either of the affected systems. Normal processing on both systems would resume once the attack ceased. The vulnerability provides no way to gain any privileges on the system. It is a denial of service vulnerability only. Severity Rating: Buffer Overruns in SQL Server Resolution Service: Internet Servers Intranet Servers Client Systems SQL Server 2000 Critical Critical None Denial of Service via SQL Server Resolution Service: Internet Servers Intranet Servers Client Systems SQL Server 2000 Critical Critical None The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: - Buffer Overruns in SQL Server Resolution Service: CVE-CAN-2002-0649 - Denial of Service via SQL Server Resolution Service: CVE-CAN-2002-0650 Tested Versions: Microsoft tested SQL Server 2000 and 7.0 (and their associated versions of MSDE) to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch Microsoft SQL Server 2000 and MSDE 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602 Additional information about this patch Installation platforms: This patch can be installed on systems running SQL Server 2000 Service Pack 2. Inclusion in future service packs: The fix for this issue will be included in SQL Server 2000 Service Pack 3. Reboot needed: No. The SQL Server service only needs to be restarted after applying the patch. Patch can be uninstalled: Yes. Superseded patches: None. Verifying patch installation: To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article Q323875. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: - Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". - Patches for consumer platforms are available from the WindowsUpdate web site Other information: Acknowledgments Microsoft thanks David Litchfield of Next Generation Security Software Ltd. for reporting these issues to us and working with us to protect customers. Support: - Microsoft Knowledge Base article Q323875 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. - Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: - V1.0 (July 24, 2002): Bulletin Created. - V1.1 (July 25, 2002): Bulletin updated to note that MSDE 2000 is affected by the vulnerabilities. [***** End Microsoft Security Bulletin MS02-039 *****] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-092: Cisco Buffer Overflow in UNIX VPN Client M-093: Apache HTTP Server Chunk Encoding Vulnerability M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow M-095: OpenSSH Challenge Response Vulnerabilities M-096: Microsoft Windows Media Player Vulnerabilities M-097: Cisco ACS Acme.server traversal Vulnerability M-098: PGP Outlook Encryption Plug-in Vulnerability M-099: Microsoft Cumulative Patch for SQL Server M-100: Microsoft Server Response toSMTP Client EHLO Command Results in Buffer Overrun M-101: Microsoft Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution