[Full-Disclosure] Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: 01/25/03

  • Next message: Richard M. Smith: "[Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
    From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
    To: full-disclosure@lists.netsys.com
    Date: Sat, 25 Jan 2003 12:30:00 -0800 (PST)
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations
    ==============================================================================

    Revision 1.0

    For Public Release 2003 January 25 14:00:00 UTC

    - -------------------------------------------------------------------------------

    Contents
    ========

    Summary
    Details
    Symptoms
    Workarounds
    Exploitation and Public Announcements
    Status of This Notice
    Distribution
    Revision History
    Cisco Security Procedures

    - -------------------------------------------------------------------------------

    Summary
    =======

    Cisco customers are currently experiencing attacks due to a new worm that has
    hit the Internet. The signature of this worm appears to be high volumes of UDP
    traffic to port 1434. Affected customers have been experiencing high volumes of
    traffic from both internal and external systems. Symptoms on Cisco devices
    include, but are not limited to high CPU and traffic drops on the input
    interfaces.

    http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com

    At the time of this notice there is no definitive analysis of the worm.

    Details
    =======

    UDP port 1433 and 1434 are used for SQL server traffic. A new worm has been
    targeting port 1434 and attempting to exploit a buffer overflow vulnerability
    in Microsoft's SQL server. We have received reports that the worm targets port
    1433 as well, however this is unverified at this time.

    Microsoft has issued a security advisory about this issue, the details are
    here:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS02-039.asp leaving cisco.com

    For infected servers, MS recommends downloading Service Pack 3 for SqlSvr,
    located here:

    http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN&LN=en-us&gssnb=1
    leaving cisco.com

    Symptoms
    ========

    You may see instability in networks due to increased load. The traffic load
    generated by this DoS is very high.

    Workarounds
    ===========

    Thus far the best mitigation is to block inbound and outbound traffic destined
    to UDP port 1434. Care must be taken in regards to the impact on mission
    critical services as 1434/udp and 1433/udp are used by Microsoft SQL Server.
    Before blocking traffic to these ports completely make sure that the possible
    effects on your network are understood.

    Note: These workarounds block both ports 1433 and 1434, although we have
    received no evidence yet that blocking port 1433 has any affect on the attack.
    If your network requires traffic to flow on port 1433 please leave that portion
    of the ACL out and monitor your results closely.

    VACL on the 6500

    To configure:

    set security acl ip WORM deny udp any eq 1434 any
    set security acl ip WORM deny udp any any eq 1434
    set security acl ip WORM deny udp any eq 1433 any
    set security acl ip WORM deny udp any any eq 1433
    set security acl ip WORM permit any
    commit security acl WORM
    set security acl map WORM <vlan>

    Set port to vlan based:

    set port qos <mod/port> vlan-based

    To verify:

    show security acl info all

    To remove:

    clear security acl WORM
    commit security acl WORM

    ACL for IOS

    Note: Log statement removed due to load issues on the router. If you are trying
    to track source addresses, use NetFlow.

    access-list 115 deny udp any any eq 1433
    access-list 115 deny udp any any eq 1434
    access-list 115 permit ip any any

    int <interface>
    ip access-group 115 in
    ip access-group 115 out

    Exploitation and Public Announcements
    =====================================

    This issue is being exploited actively and has been discussed in numerous
    public announcements and messages. References include:

      * http://www.cert.org/advisories/CA-2003-04.html leaving cisco.com
      * http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com

    Status of This Notice: INTERIM
    ==============================

    This is an interim notice. Although Cisco cannot guarantee the accuracy of all
    statements in this notice, all of the facts have been checked to the best of
    our ability. Cisco anticipates issuing updated versions of this notice when
    there is material change in the facts.

    Distribution
    ============

    This notice will be posted on Cisco's worldwide website at http://www.cisco.com
    /warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web
    posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP
    key and is posted to the following e-mail and Usenet news recipients:

      * cust-security-announce@cisco.com
      * bugtraq@securityfocus.com
      * full-disclosure@lists.netsys.com
      * first-teams@first.org (includes CERT/CC)
      * cisco@spot.colorado.edu
      * cisco-nsp@puck.nether.net
      * comp.dcom.sys.cisco
      * Various internal Cisco mailing lists

    Future updates of this notice, if any, will be placed on Cisco's worldwide web
    Users concerned about this problem are encouraged to check the URL given above
    for any updates.

    Revision History
    ================

    +---------------------------------------------------------------------------+
    |Revision |25-January-2003|Initial public release. |
    |1.0 | | |
    +---------------------------------------------------------------------------+

    Cisco Security Procedures
    =========================

    If you have any new information that would be of use to us, please send email
    to psirt@cisco.com. Information regarding strategies for protecting against
    Distributed Denial of Service attacks may be found at http://www.cisco.com/warp
    /public/707/newsflash.html .

    Complete information on reporting security vulnerabilities in Cisco products,
    obtaining assistance with security incidents, and registering to receive
    security information from Cisco, is available on Cisco's worldwide website at
    http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
    instructions for press inquiries regarding Cisco security notices. All Cisco
    Security Advisories are available at http://www.cisco.com/go/psirt/.

    - -------------------------------------------------------------------------------

    This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
    redistributed freely after the release date given at the top of the text,
    provided that redistributed copies are complete and unmodified, and include all
    date and version information.

    - -------------------------------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0

    iQA/AwUBPjLvSJPS/wbyNnWcEQJfkACbBvRVSNVIGPrVNbUFa36ljgskecIAn1lQ
    NKkVnPmOjGcau3OjeIudkzyh
    =KxPU
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html