| VID |
25018 |
| Severity |
40 |
| Port |
1434 |
| Protocol |
UDP |
| Class |
DB |
| Detailed Description |
The MS SQL server on the system can be infected by the Sapphire Worm.
Late Friday, January 24, 2003, It has been found a new SQL worm spreading quickly across various networks around the world. This worm has been dubbed the "Sapphire Worm" by eEye. The worm was spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL server improperly handles data sent to its Microsoft SQL Monitor port. Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges.
The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks. The worm is only resident in memory, and is not written to disk.
* Note: This check is non-intrusive, wont crash your servers, in identifying vulnerable systems. Because of the nature of the worm it keeps any valid data from getting to the victim system, It WILL NOT identify already infected systems. We suggest using sniffers and IDS's to determine already infected machines.
* Platforms Affected:
Microsoft SQL Server 2000 pre SP3
Microsoft Desktop Engine (MSDE) 2000
* References:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
http://www.eeye.com/html/Research/Flash/AL20030125.html
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml
http://www.iss.net/security_center/static/10031.php
http://www.nextgenss.com/advisories/mssql-udp.txt
http://www.cert.org/advisories/CA-2003-04.html
http://www.techie.hopto.org/sqlworm.html
http://www.boredom.org/~cstone/worm-annotated.txt |
| Recommendation |
Because the worm is only resident in memory, and is not written to disk, this threat is not detectable using virus definitions. Anyway, If a host is compromised, you can remove the worm by performing the following steps:
1. Stop MS SQL Server
2. Eliminate the Microsoft SQL Buffer Overflow Vulnerability From Your Systems:
Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.
Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp
SQL 2000 Service Pack 3 (Cumulative Patch):
http://www.microsoft.com/sql/downloads/2000/sp3.asp
3. Restart your MS SQL server
-- AND --
We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system. |
| Related URL |
CVE-2002-0649,CVE-2002-0650 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
