ALERT-TSA03-001c-UPDATE

The following is an update to Alert TSA-03-001, issued on Saturday regarding the SQL Slammer worm.

This information was received by Secure Florida through its contract with the TruSecure Corporation. It is the property of the TruSecure Corporation, and Secure Florida makes no warranties as to the validity of this information. Please consult the technical expert of your choosing before taking any action.

UPDATE:

IMPACT:

While nearly all organizations experienced some impact from the Internet saturation that occurred in the early morning hours of Saturday, January 25th, reports from organizations world-wide, as of Monday, January 27, 2003 indicate that the W32/SQLSlammer worm also infected, either at edge servers or on devices on the inside LAN, more than 80% of medium and large organizations since its release on Saturday. Between 160,000 and 200,000 sites were infected.

IMPACT TO TRUSECURE CLIENTS:

By contrast the TruSecure client base experienced very little infection from the worm (virtually no certified clients were infected and a few percent of non-certified clients were). We attribute this success largely to the aggressive push toward a perimeter default-deny stance, to our prediction of such a worm in May of 2002 and to our subsequent ad-hoc testing and mitigation activities since May.

APPCENTER SPECIAL CASE:

This is the patch that people using Microsoft AppCenter need to prevent the SQLSlammer vulnerability. It is different from all other patches re: this issue, as AppCenter uses a specialized version of MSDE. Please make sure appropriate users are aware of this.

http://support.microsoft.com/default.aspx?scid=kb;en-us;813115

ADDRESS VPN/WAN & HIBERNATING LAPTOPS

In order to continue to protect your organization, TruSecure is strongly urging that you ensure that you are observing a default-deny strategy not only at your Internet gateway, but at all gateways into your corporate network. There are reports of companies getting infected via VPN and business partners connecting into the corporate network. TruSecure has long recommended that all such connections should terminate in a controlled segment and have access control lists to prevent unnecessary services and ports from being exposed to the VPN and business partner networks.

Besides VPN / WAN vectors, the most likely vector to bring an infection from the outside in, is from a laptop infected at home or on the road, put in suspend or hibernate mode, and re-activated while on the corporate LAN.

WORM TRAFFIC

Depending upon your particular ISP, Internet worm traffic is down to about 1% of peak levels. This is more than sufficient to make its way into your internal network over time by the vectors mentioned above.

Organizations that become infected internally will suffer the same sort of performance impact the Internet suffered on Saturday, and such an occurrence would likely rival the impact that Code Red had 2 years ago.

TruSecure recommends that organizations apply filter and access control rules to prevent access to all services and ports, except those specifically required for critical business operations, from all external connections. This includes gateway access from VPN, wireless networks, WANs, and business connections. Monitoring the connections between your networks and any external networks such as partners, branch offices, and home networks, where traffic is trusted by virtue of the source may also be prudent.

INTERNAL SCANNING

Some organizations may also wish to consider scanning internally for systems listening on TCP1433, the primary SQL Server port (scanning TCP is much more reliable than UDP1434 and should identify the same subset of potentially worrisome devices). This will uncover not only SQL Server machines, but also machines running the Microsoft SQL Desktop Engine 2000 service. This MSDE service may not be obvious as it installs together with other software, such as Microsoft Visio or Project, as well as many other packages. (A partial list of those applications that may install, or can install, MSDE is listed here, please note this is not necessarily complete, nor verified by Microsoft:

APPLICATIONS THAT * MAY * HOST MS SQL

• Microsoft Biztalk Server
• Visual Studio.NET
• .NET Framework SDK
• Application Center Server
• Microsoft Visio 2000
• Microsoft Project
• McAfee ePolicy Orchestrator
• Telestream FlipFactory
• Lyris ListManager
• ASP.NET Web Matrix Tool
• Office XP Developer Edition
• Microsoft Visual FoxPro 7.0
• Dell OpenManage
• HP Openview Internet Services Monitor
• HP Openview for Windows
• Websense
• Megatrack from BLUEMEGA
• Veritas Backup Exec ver 9.0
• WebBoard
• Chubb security system
• Office 2000 Developer Edition
• Crystal Reports Enterprise 8.5
• MonTel (a PABX admin tool)
• HelpMaster Pro
• Hailstorm (http://www.cenzic.com)
• GFI S.E.L.M
• SecureScanNX - Vigilante
• ASSET v1.01 - NIST
• Centennial Discovery
• SalesLogix
• Helpstar (Helpdesk)
• http://www.realestate.intuit.com/
• Microsoft's Age of Mythology
• Tumbleweed Secure Guardian
• World Secure
• PowerQuest Deploy Center 5
• ControlCenter ST
• Trend Micro Damage Cleanup Server 1.0
• Compaq Insight Manager v7
• Patchlink Patch Management System
• Microsoft SharePoint Teamservices
• "Great Plains" financial software
• Pentasafe's Vegilent Security Console
• Chaperon 2000
• Prolog Manager - http://www.mps.com/products/PM/index.asp
• PDExpress - http://www.lucid-data.com/
• EdWeb - http://www.tierrasoftware.com
• SPYRUS Organizational Certificate Authority (OCA)
• citrix nfuse elite
• StarAdmin http://www.starremote.com
• Realsecure IDS management console

FOLLOW-ON ATTACKS:

We do expect evolution of this attack as occurred with Code Red and Nimda over the succeeding days to a month or two. Aggressive blocking activity by backbone and other ISPs will mitigate direct descendants of this attack somewhat.

PRODUCTION REQUIRING REMOTE SQL:

You can Still Use SQL across the Internet without UDP1434. We don't recommend open connections for this purpose, but your TruSecure Central web site has a method by which you can get production working if required while you build alternative means. Of course you should use source filtering in the worst case, and VPN/tunneling with segmented end-points for these purposes.

SQL 7.0 / MSDE 1.0

Despite rumors to the contrary, SQL 7 / MSDE 1.0 are not vulnerable to this worm.

COMMUNICATION:

Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability.

TruSecure Corporation provides information security assurance services including TruSecure(tm) which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. See www.trusecure.com for further information on these services.

DISCLAIMER:

Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.