GEN:SID | 1:2004 |
Message | MS-SQL Worm propagation attempt OUTBOUND |
Summary | This event is generated when an attempt is made by the "Slammer" worm to compromise a Microsoft SQL Server. Specifically, this rule generates an event when the worm activity eminates from the protected network.
|
Impact | A worm targeting a vulnerability in the MS SQL Server 2000 Resolution Service was released on January 25th, 2003. The worm attempts to exploit a buffer overflow in the Resolution Service. Because of the nature of the vulnerability, the worm is able to attempt to compromise other machines very rapidly.
|
Detailed Information | The Monitor Service provided by MS SQL and MSDE uses unchecked client provided data in an SQL version check function.
The worm attempts to exploit a buffer overflow in this version request. If the worm sends too many bytes in the request that triggers the version check, then a buffer overflow condition is triggered resulting in a potential compromise of the SQL Server.
This event is indicative of an existing infection on the protected network. The event is generated on outgoing traffic.
|
Affected Systems | This vulnerability is present in unpatched MS SQL Servers. The following unpatched services containing MS SQL or Microsoft Desktop Engine (MSDE) may potentially be compromised by this worm:
* SQL Server 2000 (Developer, Standard, and Enterprise Editions) * Visual Studio .NET (Architect, Developer, and Professional Editions) * ASP.NET Web Matrix Tool * Office XP Developer Edition * MSDN Universal and Enterprise subscriptions
|
Attack Scenarios | This is worm activity.
|
Ease of Attack | Exploits for this vulnerability have been publicly published.
A worm has been written that automatically exploits this vulnerability.
|
Corrective Action | Block external access to the MS SQL services on port 1433 and 1434 if possible.
Patches from Microsoft are available that fix this vulnerability. The patches are available from
www.microsoft.com/technet/security/bulletin/MS02-039.asp
|
Additional References | |
Rule References | bugtraq: 5310
bugtraq: 5311
cve: 2002-0649
nessus: 11214
url: vil.nai.com/vil/content/v_99992.htm
|