Re: Microsoft AppCenter and W32/SQLSlammer

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/26/03

  • Next message: Russ: "Products which use MSDE?" 
    Date:         Sun, 26 Jan 2003 08:56:44 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I am aware of the issue with AppCenter, and I would also like to pass
    along some other information gathered yesterday.

    1. As of late last night the AppCenter patch issue had not been
    finalized at Microsoft (or if it had, not been conveyed to me). I have
    been pursing this with them for some of our customers, so I will be
    following up today. When/if I get info about AppCenter's MSDE
    installation, I will send it to the list. For now your only option is to
    either keep the AppCenter machine out of harms way, or ensure you have
    filtered traffic prior to it reaching those boxes.

    2. There have been a number of rumours I would like to dispel;

    a) Windows XP Activation was affected by the Worm. One report I got was
    that Microsoft's Activation Servers themselves were running vulnerable
    versions of SQL and were down because of the worm...not so...during the
    peak periods of the worm most networks were having latency problems and
    in some cases, systems trying to perform Activation were failing because
    their packets, or the return packets, weren't getting through.

    b) There are problems with MS02-039, or MS02-043, or MS02-056, or
    MS02-061...they introduce a new vulnerability or cause problems...

    Well, not entirely true. Here's the skinny;

    i) No new vulnerabilities are introduced by any of these patches. Of
    course each addresses additional issues, so the older the patch the less
    issues are addressed, but all address the vulnerability attacked by
    SQLSlammer.

    ii) If you are running MSDE 2000 or SQL 2000 on an NT 4.0 system,
    MS02-056 and MS02-061 both refer to an NT patch required, prior to
    installation of either of those patches, for the system to function
    properly;

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;q258437

    iii) MS02-043 was reported as not including the fixed ssnetlib.dll (the
    file which causes the SQLSlammer vulnerability). In fact, it does
    contain an appropriate version of that file.

    iv) There was a handle leak introduced into SQL in SQL Service Pack 2.
    This handle leak was not addressed in any of the above-mentioned
    Security Bulletins. For that fix you'll need to apply;

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;q317748

    This fix should be applied prior to the installation of any of the SQL
    Security Bulletins, because it contains both ssmslpcn.dll (the fix for
    the handle leak) and ssnetlib.dll (v8.00.568). ssnetlib.dll needs to be
    v8.00.636 or higher for it to protect you from SQLSlammer. Please note
    this is not necessarily the same version as the SQLServer.exe file (or
    what is returned from the SQL Select command).

    So, if you apply 317748 directly over a system patched against
    SQLSlammer, you will regress it to a point where it will again be
    vulnerable. However, we have it confirmed from Microsoft that if you
    install 317748 on such a system, you will be prompted when it attempts
    to replace the newer ssnetlib.dll with the older one in the patch. If
    you answer "No" to overwriting the newer file, you'll get the updated
    ssmslpcn.dll without regressing ssnetlib.dll.

    This handle leak only occurs under very specific conditions which are
    not common, so it may be of no effect. This also assumes you are not
    going to install SQL SP3.

    c) A new patch is coming for MSDE!

    Well, there's two answers for this one;

    i) There is likely going to be a new patch for AppCenter, but one hasn't
    previously been released for this issue so its not exactly new.

    ii) There has been some discussion of a repacking of the MSDE patch...to
    make it easier to install. Its unlikely it will contain any new binaries
    (unless it happens there was a patch about to be released anyway).
    Whatever happens, it will not be required to apply this new patch to be
    protected from SQLSlammer...you can already be protected with the
    patches that are currently available.

    d) Cisco products were dramatically affected by SQLSlammer, some may
    have amplified the effects of the worm.

    Well, yes and no. Check out this graph, which demonstrates some of the
    effect the worm had on networks in general;

    http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html

    Cisco have said very little, apart from recommending that people patch,
    block traffic, and disable logging of the blocked traffic. One quote
    ascribed to Cisco;

    "Symptoms that may be seen, detected and may be causing alerts on Cisco
    devices include, but are not limited to high CPU and traffic drops on
    the input interfaces."

    Another comment they've made is that some Cisco products do use SQL
    2000, such as Cisco Unity and Call Manager 3.3, however they say those
    are running on hardened OS'. They do, however, state that those systems
    should be patched also.

    Overall, I would attribute problems with network devices, during this
    attack, to volume overload. Amplification, if it in fact did occur, may
    have occurred as a result of the way the box became unstable. If memory
    was overrun as a result of the system being overloaded, the results
    could vary dramatically.

    ...more when it becomes available...

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • RE: Increasing ICMP Echo Requests
      ... SQL servers fall under the purview of security-related staff who subscribe ... Alright, if the patch works, there are no foulups, there is nothing else to ... > Well no I don't expect Joe shmoe to know this, ... > technical IT security event. ...
      (Incidents)
    • RE: Microsoft Security Advisory MS 03-007 - Problems
      ... We are currently researching a very specific issue with the patch. ... My first install on a freslhly built W2K ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ... box giving hackers complete access to all your backend systems! ...
      (Focus-Microsoft)
    • Re: SP3 and SQL Server Tools Installation
      ... I have run the patch but the instance does not show up ... We have, under the direction of the Macola ERP (SQL Server / Exact), ... the sp3 for the SQL Server) on any of these machines. ... these machine never see sp3a as there is no need to put the Desktop Engine ...
      (microsoft.public.sqlserver.security)
    • Re: MicroMonopoly aids Terrorism?
      ... > It appears your reference to sqlmag is to support the supposition ... > that the SQL patch which covered the Slammer vulnerability ... > also difficult to install). ... Microsoft also changed patch development for SQL ...
      (microsoft.public.security)
    • RE: Microsoft Security Advisory MS 03-007 - Problems
      ... I think that one of the most important things to remember about this patch ... MS has released buggy patches in the past. ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ... box giving hackers complete access to all your backend systems! ...
      (Focus-Microsoft)