[NEWS] Microsoft SQL Server 2000 Vulnerabilities in Cisco Products

• Previous message: support@securiteam.com: "[UNIX] Multiple Cross-Site Scripting Vulnerabilities in Nuked-Klan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 29 Jan 2003 12:25:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Microsoft SQL Server 2000 Vulnerabilities in Cisco Products
------------------------------------------------------------------------

SUMMARY

This advisory describes a vulnerability that affects Cisco products and
applications incorporating the use of the Microsoft SQL Server 2000 or the
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000).

A number of vulnerabilities that have been discovered that enable an
attacker to execute arbitrary code or perform a denial of service against
the server. These vulnerabilities were discovered and publicly announced
by Microsoft in their Microsoft Security Bulletins MS02-039, MS02-056, and
MS02-061.

All Cisco products and applications that are using unpatched Microsoft SQL
Server 2000 or MSDE 2000 are vulnerable.

DETAILS

Affected Products:
To determine if a product is vulnerable, review the list below. If the
software versions or configuration information are provided, then only
those combinations are vulnerable.

 * Cisco CallManager 3.3(x)
 * Cisco Unity 3.x, 4.x
 * Cisco Building Broadband Service Manager 5.0, 5.1

No other Cisco product is currently known to be affected by this
vulnerability.

Details:
Implementations of the Microsoft SQL Server 2000 and MSDE 2000 are
vulnerable to buffer overflows and denial of service attacks. These
vulnerabilities can be exploited to execute arbitrary code on a computer
system or to disrupt normal operation of the server.

The vulnerabilities have been described in more detail at:
 * <http://www.microsoft.com/technet/security/virus/alerts/slammer.asp>
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
 * <http://www.microsoft.com/technet/security/bulletin/MS02-039.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
 * <http://www.microsoft.com/technet/security/bulletin/MS02-056.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
 * <http://www.microsoft.com/technet/security/bulletin/MS02-061.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp

Impact:
According to Microsoft, the vulnerabilities range from an attacker gaining
additional privileges on a SQL server to gaining control over the SQL
Server. Additionally the MS SQL "Sapphire" Worm is known to exploit this
same vulnerability that can result in degraded network performance as the
worm attempts to propagate.

Software Versions and Fixes:
 * Cisco CallManager
Customers running version 3.3(x) should install Cisco's cumulative SQL
2000 Hotfix, SQL2K-MS02-061.exe, from the following location:
<http://www.cisco.com/tacpage/sw-center/telephony/crypto/voice-apps/>
http://www.cisco.com/tacpage/sw-center/telephony/crypto/voice-apps/.

 * Cisco Unity
Customers should install the Microsoft SQL 2000 Service Pack 2 (SP2) and
Security Rollup 1 (SRP1) "Q323875_SQL2000_SP2_en.EXE". Both are available
on the Microsoft website at the following location:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech8\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37&quot; <br> &qhttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech <br> <p><p>int main(int argc, char *argv[]) <br> { Software is now available on Cisco's website to patch BBSM 5.0 and 5.1.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech <br> <p><p>int main(int argc, char *argv[]) <br> { Software is now available on Cisco's website to patch BBSM 5.0 and 5.1.

 * Cisco Building Broadband Service Manager
Software is now available on Cisco's website to patch BBSM 5.0 and 5.1.
Version 5.2 is not vulnerable.

Before installing the security patch for this vulnerability, customers
should install MSFIX1 and MSFIX2. Java Runtime 1.3.1 must also be
installed after MSFIX1, but before MSFIX2.

Java Runtime 1.3.1_06 is available here:
<http://java.sun.com/j2se/1.3/download.html>
http://java.sun.com/j2se/1.3/download.html

The patch is available at this location:
 <http://www.cisco.com/public/sw-center/sw-netmgmt.shtml>
http://www.cisco.com/public/sw-center/sw-netmgmt.shtml

Instructions for installing service patches on BBSM can be found here:
 
<http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm52/user/use52_05.htm#50416> http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm52/user/use52_05.htm#50416

Obtaining Fixed Software:
Where Cisco provides the operating system bundled with the product, Cisco
is offering free software upgrades to address these vulnerabilities for
all affected customers. Customers may only install and expect support for
the feature sets they have purchased.

Customers with service contracts should contact their regular update
channels to obtain any software release containing the feature sets they
have purchased. For most customers with service contracts, this means that
upgrades should be obtained through the Software Center on Cisco's
Worldwide Web site at <http://www.cisco.com/tacpage/sw-center/>
http://www.cisco.com/tacpage/sw-center/.

Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
upgrade(s).

Customers who purchased directly from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third party vendors
but are unsuccessful at obtaining fixed software through their point of
sale, should obtain fixed software by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain an upgrade to a later
version of the same release or as indicated by the applicable row in the
Software Versions and Fixes table (noted above).

Cisco TAC contacts are as follows:
 * +1 800 553 2447 (toll free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and
instructions and e-mail addresses for use in various languages.

Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
Cisco has published a companion document at
<http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml>
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml that
provides network-based workarounds to mitigate the effects of these
vulnerabilities. Cisco also recommends applying the software based fixes
to affected devices to completely resolve the vulnerability.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NEWS] SSH2 Clients Insecurely Store Passwords (AbsoluteTelnet, SecureCRT, Entunnel, SecureFx, and PuTTY)"
• Previous message: support@securiteam.com: "[UNIX] Multiple Cross-Site Scripting Vulnerabilities in Nuked-Klan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]