TruSecure ALERT- TSA 03-001TSA 03-001 - W32/SQLSlammer Date: January 25, 2003 Time: 0600 UTC RISK INDICES: Initial Assessment: Hot Threat: High - The worm poses two risks to the enterprise, compromising a SQL2000 or MSDE host on your network and the network floods caused by the worm can affect network performance up to a denial of service attack. Thus you may suffer a denial of service even if you have no vulnerable hosts, this could especially be true among web host customers/users. Vulnerability Prevalence: High (Although low in TruSecure clients who have adopted a perimeter default-deny stance) Cost: Medium/High - This worm may run code on the infected machine, which then sends out probes or attacks to random addresses. Vulnerable Systems: MS systems with either SQL Server 2000 or Microsoft SQL Desktop Engine (MSDE) 2000 and 1434/UDP exposed. Such systems will also typically have 1433/tcp exposed, although this port does not appear to be used in this attack. Impact: As of this morning, there have been reports from a large number of points on the Internet indicating large volumes of UDP traffic that is affecting the Internet. This would indicate that there is the potential for many infected SQL servers. The biggest effect so far appears to be the amount of traffic generated by the probes that appear to be impacting the Internet. Some reports indicate as much as 500Mbps of traffic caused by this worm. SUMMARY: Earlier this morning, January 25, 2003 TruSecure began receiving reports of a SQL worm spreading via obviously automated SQL ping probes. NOTES: It appears that the code attacks a buffer overflow in the SQL Resolution Service in SQL 2000 server which do not have either MS02-039 hotfix, or SQL 2000 Service Pack 3 installed. Can also attack MSDE installations, a component installed by many other applications, including MS Project and MS Visio. The probes are coming from a variety of source IPs, in the US and overseas, many of which may be spoofed. Because it does not appear to drop a payload on to the disk of effected servers, anti-virus software is not likely to detect this worm. MITIGATIONS: The standard TruSecure perimeter default-deny strategy (which blocks all ports including TCP 1433 and UDP 1434) from being visible to the Internet will be effective. TruSecure Monitor contains several SQL bulletins since 1/2000 including discussions of sql-related MS MS00-035 MS02-020, MS02-039, MS02-007, MS01-060, and MS01-032. 1. SQL Server 2000 and Microsoft SQL Desktop Engine (MSDE) 2000 are affected. 2. Patch vulnerable and visible servers using the Microsoft SQL2000 Server SP3. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp 3. Blocking inbound access to TCP 1433, and blocking access to UDP1434, the SQL Server 2000 Resolution Service port. This port is similar to the RPC End Point Mapper port (TCP135), which redirects client requests for a server service to a dynamically allocated port. 4. Customers who have systems hosted by hosting providers should ensure their hosting provider has taken appropriate steps to mitigate against this attack. Other customers at your hosting provider may have caused the provider to expose UDP1434, thereby causing their service levels to be affected. 5. Microsoft, the White House, the FBI, and CERT have all been notified;
2. Disable the TCP library for MS SQL, this will disable port 1433 for those installations where the MS SQL server is installed on the same box as an IIS server. 3. Review ALL installations of MS SQL and appropriately harden the installation. A quide for hardening MS SQL installations can be found at: http://www.sqlsecurity.com/ 4. Consider sweeping your intranet (LAN) for port 1433 (the url in 4 has a tool for this purpose) to discover unexpected or unsanctioned SQL devices. COMMUNICATION: Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability. TruSecure Corporation provides information security assurance services including TruSecure(tm) which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. See www.trusecure.com for further information on these services. DISCLAIMER: Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct. Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security. IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. |
MENU
MEMBERS LOG-IN
National Threat Level
