INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A buffer overflow vulnerability in the Resolution Service of MS SQL Server 2000 could allow portions of the system memory to be overwritten. |
| PLATFORM: | MS SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000 |
| DAMAGE: | An attacker could overflow the buffer with carefully selected data and run code in the security context of the SQL Server service. An easier attack would create a denial of service. |
| SOLUTION: | Apply the patch as directed by the advisory. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. The vulnerabilities listed in this bulletin are being widely exploited. Patches should be applied immediately. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/m-102.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp |
| PATCHES: | http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602 |
[***** Start Microsoft Security Bulletin MS02-039 *****]
Microsoft Security Bulletin MS02-039
Originally posted: July 24, 2002
Summary
Who should read this bulletin: System administrators using Microsoft(r) SQL
Server(tm) 2000 and Microsoft Desktop Engine 2000.
Impact of vulnerability:
Three vulnerabilities, the most serious of which could enable an
attacker to gain control over an affected server.
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch immediately.
Affected Software:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Technical details
Technical description:
SQL Server 2000 and MSDE 2000 introduce the ability to
host multiple instances of SQL Server on a single
physical machine. Each instance operates for all intents
and purposes as though it was a separate server.
However, the multiple instances cannot all use the
standard SQL Server session port (TCP 1433). While the
default instance listens on TCP port 1433, named
instances listen on any port assigned to them. The SQL
Server Resolution Service, which operates on UDP port
1434, provides a way for clients to query for the
appropriate network endpoints to use for a particular
SQL Server instance.
There are three security vulnerabilities here. The first
two are buffer overruns. By sending a carefully crafted
packet to the Resolution Service, an attacker could
cause portions of system memory (the heap in one
case, the stack in the other) to be overwritten.
Overwriting it with random data would likely result in
the failure of the SQL Server service; overwriting it with
carefully selected data could allow the attacker to run
code in the security context of the SQL Server service.
The third vulnerability is a denial of service
vulnerability. SQL uses a keep-alive mechanism to
distinguish between active and passive instances. It is
possible to create a keep-alive packet that, when sent
to the Resolution Service, will cause SQL Server 2000 to
respond with the same information. An attacker who
created such a packet, spoofed the source address so
that it appeared to come from a one SQL Server 2000
system, and sent it to a neighboring SQL Server 2000
system could cause the two systems to enter a
never-ending cycle of keep-alive packet exchanges. This
would consume resources on both systems, slowing
performance considerably.
Mitigating factors:
Buffer Overruns in SQL Server Resolution Service:
SQL Server 2000 runs in a security context chosen by the
administrator at installation time. By default, it runs as a Domain
User. Thus, although the attacker's code could take any desired action on
the database, it would not necessarily have significant privileges at the
operating system level if best practices have been followed.
The risk posed by the vulnerability could be mitigated by, if feasible,
blocking port 1434 at the firewall.
Denial of Service via SQL Server Resolution Service:
An attack could be broken off by restarting the SQL Server 2000
service on either of the affected systems. Normal processing on both
systems would resume once the attack ceased.
The vulnerability provides no way to gain any privileges on the system.
It is a denial of service vulnerability only.
Severity Rating:
Buffer Overruns in SQL Server Resolution Service:
Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
Denial of Service via SQL Server Resolution Service:
Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that exploiting
the vulnerability would have on them.
Vulnerability identifier:
- Buffer Overruns in SQL Server Resolution Service: CVE-CAN-2002-0649
- Denial of Service via SQL Server Resolution Service: CVE-CAN-2002-0650
Tested Versions:
Microsoft tested SQL Server 2000 and 7.0 (and their
associated versions of MSDE) to assess whether they
are affected by these vulnerabilities. Previous versions
are no longer supported, and may or may not be
affected by these vulnerabilities.
Patch availability
Download locations for this patch
Microsoft SQL Server 2000 and MSDE 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602
Additional information about this patch
Installation platforms:
This patch can be installed on systems running SQL Server 2000 Service
Pack 2.
Inclusion in future service packs:
The fix for this issue will be included in SQL Server
2000 Service Pack 3.
Reboot needed: No. The SQL Server service only needs to be restarted after
applying the patch.
Patch can be uninstalled: Yes.
Superseded patches: None.
Verifying patch installation:
To ensure you have the fix installed properly, verify the individual files
by consulting the date/time stamp of the files listed in the file manifest in
Microsoft Knowledge Base article Q323875.
Caveats: None
Localization:
Localized versions of this patch are available at the
locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the
following locations:
- Security patches are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
- Patches for consumer platforms are available from the
WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks David Litchfield of Next Generation
Security Software Ltd. for reporting these issues to us
and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q323875 discusses this issue and
will be available approximately 24 hours after the release of this
bulletin. Knowledge Base articles can be found on the Microsoft
Online Support web site.
- Technical support is available from Microsoft Product Support
Services. There is no charge for support calls associated with security
patches.
Security Resources:
The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge
Base is provided "as is" without warranty of any kind.
Microsoft disclaims all warranties, either express or
implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or
special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (July 24, 2002): Bulletin Created.
- V1.1 (July 25, 2002): Bulletin updated to note that MSDE 2000 is
affected by the vulnerabilities.
- V1.2 (January 26, 2003): Updated Knowledge Base links in
Additional Information section.
[***** End Microsoft Security Bulletin MS02-039 *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/