__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Cumulative Patch for SQL Server
[Microsoft Security Bulletin MS02-034]
July 11, 2002 21:00 GMT Number M-099
______________________________________________________________________________
PROBLEM: There are three new vulnerabilities in Microsoft SQL Server:
* Unchecked Buffer in Password Encryption Procedure
* Unchecked Buffer in Bulk Insert Procedure
* Incorrect Permission on SQL Server Service Account Registry Key
SOFTWARE: Microsoft SQL Server 2000 all editions
Microsoft SQL Server Desktop Engine (MSDE) 2000
DAMAGE: A description of each vulnerability, if exploitable, is
provided within Microsoft's Security bulletin.
SOLUTION: Apply patch for appropriate SQL Server version as prescribed by
Microsoft.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. An attacker must have access to a local
ASSESSMENT: system to exploit these vulnerabilities.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-099.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/
MS02-034.asp
PATCHES:
http://support.microsoft.com/support/misc/
kblookup.asp?id=Q316333
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-034 *****]
Microsoft Security Bulletin MS02-034
Cumulative Patch for SQL Server (Q316333)
Originally posted: July 10, 2002
Summary
Who should read this bulletin: Database administrators using Microsoft® SQL
Server™ or Microsoft SQL Server Desktop Engine (MSDE) 2000.
Impact of vulnerability: Three new vulnerabilities, the most serious of which
could run code of attacker’s choice on server.
Maximum Severity Rating: Moderate
Recommendation: Apply the patch immediately to affected systems.
Affected Software:
Microsoft SQL Server 2000 all editions.
Microsoft SQL Server Desktop Engine (MSDE) 2000.
Technical details
Technical description:
This is a cumulative patch that includes the functionality of all previously
released patches for SQL Server 2000. In addition, it eliminates three newly
discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not
any previous versions of SQL Server or MSDE):
* A buffer overrun vulnerability in a procedure used to encrypt SQL Server
credential information. An attacker who was able to successfully exploit this
vulnerability could gain significant control over the database and possibly
the server itself depending on the account SQL Server runs as.
* A buffer overrun vulnerability in a procedure that relates to the bulk
inserting of data in SQL Server tables. An attacker who was able to successfully
exploit this vulnerability could gain significant control over the database and
possibly the server itself.
* A privilege elevation vulnerability that results because of incorrect
permissions on the Registry key that stores the SQL Server service account
information. An attacker who was able to successfully exploit this vulnerability
could gain greater privileges on the system than had been granted by the system
administrator -- potentially even the same rights as the operating system.
Mitigating factors:
Unchecked Buffer in Password Encryption Procedure:
* The effect of exploiting the vulnerability would depend on the specific
configuration of the SQL Server service. SQL Server can be configured to run in
a security context chosen by the administrator. By default, this context is as
a domain user. If the default was chosen, it would minimize the amount of damage
an attacker could achieve.
* The vulnerability could be blocked by following best practices. Specifically,
untrusted users should not be able to load and execute queries of their choice
on a database server. In addition, publicly accessible database queries should
filter all inputs prior to processing.
Unchecked Buffer in Bulk Insert Procedure:
* An attacker would need to already possess significant rights on the server in
order to exploit the vulnerability, as only Bulk Admins and full administrators
have the ability to load and run queries that invoke the vulnerable procedure.
* The effect of exploiting the vulnerability would depend on the specific
configuration of the SQL Server service. SQL Server can be configured to run in
a security context chosen by the administrator. By default, it runs in the
context of a domain user; if chosen, this would minimize the amount of damage an
attacker could achieve.
* Best practices could help minimize the vulnerability. Specifically, untrusted
users should not be able to load and execute queries of their choice on a database
server. In addition, publicly accessible database queries should filter all inputs
prior to processing.
Incorrect Permission on SQL Server Service Account Registry Key:
* Successfully exploiting this vulnerability would require the ability to load and
run queries on the system. By following best practices and limiting this ability
to administrators, users can mitigate the threat posed by this vulnerability.
* Successfully exploiting this vulnerability would also require a sysadmin or
someone that has been granted xp_regwrite execute permissions.
Severity Rating:
Unchecked Buffer in Password Encryption Procedure
Internet Servers Intranet Servers Client Systems
SQL Server 2000
(Including MSDE 2000) Moderate Moderate Moderate
Unchecked Buffer in Bulk Insert Procedure
Internet Servers Intranet Servers Client Systems
SQL Server 2000
(Including MSDE 2000) Moderate Moderate Moderate
Incorrect Permission on SQL Server Service Account Registry Key
Internet Servers Intranet Servers Client Systems
SQL Server 2000
(Including MSDE 2000) Moderate Moderate Moderate
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them. In the case of the Unchecked Buffer in Bulk Insert Procedure,
the vulnerability could only enable members of the Bulk Admin group to run code in an
elevated security context. The incorrect permission on SQL Server Service Account
Registry Key vulnerability would require that the attacker have the ability to load
and run queries in order to exploit it.
Vulnerability identifier:
* Unchecked Buffer in Password Encryption Procedure: CVE-CAN-2002-0624
* Unchecked Buffer in Bulk Insert Procedure: CVE-CAN-2002-0641
* Incorrect Permission on SQL Server Service Account Registry Key: CVE-CAN-2002-0642
Tested Versions:
Microsoft tested SQL Server 7.0 and SQL Server 2000 to assess whether they are affected
by this vulnerability. SQL Server 7 is not affected by any of the vulnerabilities.
Previous versions are no longer supported and may or may not be affected by this
vulnerability.
Patch availability
Download locations for this patch
* Microsoft SQL Server 2000:
http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333
Additional information about this patch
Installation platforms:
The SQL Server 2000 patch can be installed on systems running SQL Server 2000
Service Pack 2.
Inclusion in future service packs:
The fixes for these issues will be included in SQL Server 2000 Service Pack 3.
Reboot needed: No. The SQL Server service only needs to be restarted after applying
the patch.
Superseded patches: This pach supercedes the one provided in Microsoft Security
Bulletin MS02-020, which was itself a cumulative patch.
Verifying patch installation:
SQL Server 2000
* To ensure you have the fix installed properly, verify the individual files by
consulting the date/time stamp of the files listed in the file manifest in Microsoft
Knowledge Base article at
http://support.microsoft.com/support/misc/kblookup.asp?id= Q316333
Caveats:
This package doesn’t contain the Microsoft Data Access Component or the Analysis
Services security fixes.
Localization:
Packages for each supported SQL Server language is being made available. A localized
Readme.txt file is included in each package for installation instructions.
Obtaining other security patches:
As previously mentioned, these vulnerabilities do not exist on SQL Server 7.0. If
you are still running SQL Server, ensure you are running SQL Server 7.0 Service Pack 4
where the other security vulnerabilities were addressed. If you are running Service
Pack 3 for SQL Server 7.0, you should upgrade to Service Pack 4 or apply the Service
Pack 3 update at http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
* All patches available via WindowsUpdate also are available in a redistributable
form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks Cesar Cerrudo and David Litchfield of Next Generation Security
Software Ltd. for reporting the Unchecked Buffer in Bulk Update Procedure to us and
working with us to protect customers.
Support:
* Microsoft Knowledge Base article Q316333 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles
can be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In
no event shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.
Revisions:
* V1.0 July 10, 2002 Bulletin Created.
[***** End Microsoft Security Bulletin MS02-034 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability
M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability
M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability
M-092: Cisco Buffer Overflow in UNIX VPN Client
M-093: Apache HTTP Server Chunk Encoding Vulnerability
M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow
M-095: OpenSSH Challenge Response Vulnerabilities
M-096: Microsoft Windows Media Player Vulnerabilities
M-097: Cisco ACS Acme.server traversal Vulnerability
M-098: PGP Outlook Encryption Plug-in Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
