__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft SQL Server 2000 Resolution Service Buffer
Overflow Vulnerabilities
[Microsoft Security Bulletin MS02-039]
July 26, 2002 15:00 GMT Number M-102
______________________________________________________________________________
PROBLEM: A buffer overflow vulnerability in the Resolution Service of
MS SQL Server 2000 could allow portions of the system memory
to be overwritten.
PLATFORM: MS SQL Server 2000
DAMAGE: An attacker could overflow the buffer with carefully selected
data and run code in the security context of the SQL Server
service. An easier attack would create a denial of service.
SOLUTION: Apply the patch as directed by the advisory.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. Exploiting the vulnerability would grant
ASSESSMENT: an attacker full control over the database, not necessarily
full control of the system.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-102.shtml
ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/
MS02-039.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-039 *****]
Microsoft Security Bulletin MS02-039
Originally posted: July 24, 2002
Summary
Who should read this bulletin: System administrators using Microsoft(r) SQL
Server(tm) 2000 and Microsoft Desktop Engine 2000.
Impact of vulnerability:
Three vulnerabilities, the most serious of which could enable an
attacker to gain control over an affected server.
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch immediately.
Affected Software:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Technical details
Technical description:
SQL Server 2000 and MSDE 2000 introduce the ability to
host multiple instances of SQL Server on a single
physical machine. Each instance operates for all intents
and purposes as though it was a separate server.
However, the multiple instances cannot all use the
standard SQL Server session port (TCP 1433). While the
default instance listens on TCP port 1433, named
instances listen on any port assigned to them. The SQL
Server Resolution Service, which operates on UDP port
1434, provides a way for clients to query for the
appropriate network endpoints to use for a particular
SQL Server instance.
There are three security vulnerabilities here. The first
two are buffer overruns. By sending a carefully crafted
packet to the Resolution Service, an attacker could
cause portions of system memory (the heap in one
case, the stack in the other) to be overwritten.
Overwriting it with random data would likely result in
the failure of the SQL Server service; overwriting it with
carefully selected data could allow the attacker to run
code in the security context of the SQL Server service.
The third vulnerability is a denial of service
vulnerability. SQL uses a keep-alive mechanism to
distinguish between active and passive instances. It is
possible to create a keep-alive packet that, when sent
to the Resolution Service, will cause SQL Server 2000 to
respond with the same information. An attacker who
created such a packet, spoofed the source address so
that it appeared to come from a one SQL Server 2000
system, and sent it to a neighboring SQL Server 2000
system could cause the two systems to enter a
never-ending cycle of keep-alive packet exchanges. This
would consume resources on both systems, slowing
performance considerably.
Mitigating factors:
Buffer Overruns in SQL Server Resolution Service:
SQL Server 2000 runs in a security context chosen by the
administrator at installation time. By default, it runs as a Domain
User. Thus, although the attacker's code could take any desired action on
the database, it would not necessarily have significant privileges at the
operating system level if best practices have been followed.
The risk posed by the vulnerability could be mitigated by, if feasible,
blocking port 1434 at the firewall.
Denial of Service via SQL Server Resolution Service:
An attack could be broken off by restarting the SQL Server 2000
service on either of the affected systems. Normal processing on both
systems would resume once the attack ceased.
The vulnerability provides no way to gain any privileges on the system.
It is a denial of service vulnerability only.
Severity Rating:
Buffer Overruns in SQL Server Resolution Service:
Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
Denial of Service via SQL Server Resolution Service:
Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that exploiting
the vulnerability would have on them.
Vulnerability identifier:
- Buffer Overruns in SQL Server Resolution Service: CVE-CAN-2002-0649
- Denial of Service via SQL Server Resolution Service: CVE-CAN-2002-0650
Tested Versions:
Microsoft tested SQL Server 2000 and 7.0 (and their
associated versions of MSDE) to assess whether they
are affected by these vulnerabilities. Previous versions
are no longer supported, and may or may not be
affected by these vulnerabilities.
Patch availability
Download locations for this patch
Microsoft SQL Server 2000 and MSDE 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602
Additional information about this patch
Installation platforms:
This patch can be installed on systems running SQL Server 2000 Service
Pack 2.
Inclusion in future service packs:
The fix for this issue will be included in SQL Server
2000 Service Pack 3.
Reboot needed: No. The SQL Server service only needs to be restarted after
applying the patch.
Patch can be uninstalled: Yes.
Superseded patches: None.
Verifying patch installation:
To ensure you have the fix installed properly, verify the individual files
by consulting the date/time stamp of the files listed in the file manifest in
Microsoft Knowledge Base article Q323875.
Caveats: None
Localization:
Localized versions of this patch are available at the
locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the
following locations:
- Security patches are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
- Patches for consumer platforms are available from the
WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks David Litchfield of Next Generation
Security Software Ltd. for reporting these issues to us
and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q323875 discusses this issue and
will be available approximately 24 hours after the release of this
bulletin. Knowledge Base articles can be found on the Microsoft
Online Support web site.
- Technical support is available from Microsoft Product Support
Services. There is no charge for support calls associated with security
patches.
Security Resources:
The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge
Base is provided "as is" without warranty of any kind.
Microsoft disclaims all warranties, either express or
implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or
special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (July 24, 2002): Bulletin Created.
- V1.1 (July 25, 2002): Bulletin updated to note that MSDE 2000 is
affected by the vulnerabilities.
[***** End Microsoft Security Bulletin MS02-039 *****]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-092: Cisco Buffer Overflow in UNIX VPN Client
M-093: Apache HTTP Server Chunk Encoding Vulnerability
M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow
M-095: OpenSSH Challenge Response Vulnerabilities
M-096: Microsoft Windows Media Player Vulnerabilities
M-097: Cisco ACS Acme.server traversal Vulnerability
M-098: PGP Outlook Encryption Plug-in Vulnerability
M-099: Microsoft Cumulative Patch for SQL Server
M-100: Microsoft Server Response toSMTP Client EHLO Command Results in
Buffer Overrun
M-101: Microsoft Unchecked Buffer in SQL Server 2000 Utilities
Could Allow Code Execution
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
