INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | An unchecked buffer exists in the handling of OLE DB provider, which are low-level data source providers, in ad hoc connections. A buffer overrun could occur. |
| PLATFORM: | Microsoft SQL Server 7.0 and 2000 |
| DAMAGE: | If exploited, an attacker could cause the SQL Server service to fail or cause code to run in the security context of the SQL Server. |
| SOLUTION: | Apply available patch |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. Exploiting this vulnerability would depend on specific configuration of the SQL Server service. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achive. |
[***** Start Microsoft Security Bulletin MS02-007 *****] Microsoft Security Bulletin MS02-007 SQL Server Remote Data Source Function Contain Unchecked Buffers Originally posted: February 20, 2002 Summary Who should read this bulletin: Database administrators using Microsoft® SQL Server™. Impact of vulnerability: Run code of attacker's choice on server Maximum Severity Rating: Moderate Recommendation: Apply the SQL Server patch immediately to affected systems Affected Software: Microsoft SQL Server 7.0 Microsoft SQL Server 2000 Technical details Technical description: One of the features of Structured Query Language (SQL) in SQL Server 7.0 and 2000 is the ability to connect to remote data sources. One capability of this feature is the ability to use "ad hoc" connections to connect to remote data sources without setting up a linked server for less-often used data-sources. This is made possible through the use of OLE DB providers, which are low-level data source providers. This capability is made possible by invoking the OLE DB provider directly by name in a query to connect to the remote data source. An unchecked buffer exists in the handling of OLE DB provider names in ad hoc connections. A buffer overrun could occur as a result and could be used to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. An attacker could exploit this vulnerability in one of two ways. They could attempt to load and execute a database query that calls one of the affected functions. Conversely, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for an attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. Mitigating factors: The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achieve. Both vectors for exploiting the vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing. Severity Rating: Internet Servers Intranet Servers Client Systems SQL Server 7.0 Moderate Moderate Moderate SQL Server 2000 Moderate Moderate Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. While the vulnerability could potentially allow an attacker to run code on the server, best practices should limit the ability to exploit the vulnerability and the damage that could be achieved by a successful attack. Vulnerability identifier: CAN-2002-0056 Tested Versions: Microsoft tested SQL Server 7.0 and 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch SQL Server 7.0: The patch for this issue is available in the SQL Server 7.0 Cumulative Security patch at http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268 SQL Server 2000: The patch for this issue is available in the SQL Server 2000 Cumulative Security patch at http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 Additional information about this patch Installation platforms: The SQL Server 7.0 patch can be installed on systems running SQL Server 7.0 Service Pack 3. The SQL Server 2000 patch can be installed on systems running SQL Server 2000 Service Pack 2. Inclusion in future service packs: SQL Server 7.0 Service Pack 4 SQL Server 2000 Service Pack 3. Reboot needed: No. The SQL Server service only needs to be restarted after applying the patch. Superseded patches: MS01-060 Verifying patch installation: SQL Server 7.0: To ensure that you have properly installed the fix, run the following command from the command prompt: "SELECT @@VERSION" (without the quotation marks) If the patch has been correctly installed, the resulting output will indicate the version number as "SQL Server 7.00 - 7.00.1021" or greater. To verify the individual files, consult the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article Q317979. SQL Server 2000: To ensure that you have properly installed the fix, run the following command from the command prompt: "SELECT @@VERSION" (without the quotation marks) If the patch has been correctly installed, the resulting output will indicate the version number as "SQL Server 8.00 - 8.00.0578" or greater. To verify the individual files, consult the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article Q317979. Caveats: None Localization: The patches can be applied to all supported SQL Server languages. Localized Readme.txt files are included in the packages for installation instructions in all supported languages. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Support: Microsoft Knowledge Base article Q317979 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 20, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-007 *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/