[NEWS] Microsoft SQL Server 2000 Vulnerabilities in Cisco Products

From: support@securiteam.com
Date: 01/29/03

  • Next message: support@securiteam.com: "[NEWS] SSH2 Clients Insecurely Store Passwords (AbsoluteTelnet, SecureCRT, Entunnel, SecureFx, and PuTTY)"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 29 Jan 2003 12:25:08 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Microsoft SQL Server 2000 Vulnerabilities in Cisco Products
    ------------------------------------------------------------------------

    SUMMARY

    This advisory describes a vulnerability that affects Cisco products and
    applications incorporating the use of the Microsoft SQL Server 2000 or the
    Microsoft SQL Server 2000 Desktop Engine (MSDE 2000).

    A number of vulnerabilities that have been discovered that enable an
    attacker to execute arbitrary code or perform a denial of service against
    the server. These vulnerabilities were discovered and publicly announced
    by Microsoft in their Microsoft Security Bulletins MS02-039, MS02-056, and
    MS02-061.

    All Cisco products and applications that are using unpatched Microsoft SQL
    Server 2000 or MSDE 2000 are vulnerable.

    DETAILS

    Affected Products:
    To determine if a product is vulnerable, review the list below. If the
    software versions or configuration information are provided, then only
    those combinations are vulnerable.

     * Cisco CallManager 3.3(x)
     * Cisco Unity 3.x, 4.x
     * Cisco Building Broadband Service Manager 5.0, 5.1

    No other Cisco product is currently known to be affected by this
    vulnerability.

    Details:
    Implementations of the Microsoft SQL Server 2000 and MSDE 2000 are
    vulnerable to buffer overflows and denial of service attacks. These
    vulnerabilities can be exploited to execute arbitrary code on a computer
    system or to disrupt normal operation of the server.

    The vulnerabilities have been described in more detail at:
     * <http://www.microsoft.com/technet/security/virus/alerts/slammer.asp>
    http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
     * <http://www.microsoft.com/technet/security/bulletin/MS02-039.asp>
    http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
     * <http://www.microsoft.com/technet/security/bulletin/MS02-056.asp>
    http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
     * <http://www.microsoft.com/technet/security/bulletin/MS02-061.asp>
    http://www.microsoft.com/technet/security/bulletin/MS02-061.asp

    Impact:
    According to Microsoft, the vulnerabilities range from an attacker gaining
    additional privileges on a SQL server to gaining control over the SQL
    Server. Additionally the MS SQL "Sapphire" Worm is known to exploit this
    same vulnerability that can result in degraded network performance as the
    worm attempts to propagate.

    Software Versions and Fixes:
     * Cisco CallManager
    Customers running version 3.3(x) should install Cisco's cumulative SQL
    2000 Hotfix, SQL2K-MS02-061.exe, from the following location:
    <http://www.cisco.com/tacpage/sw-center/telephony/crypto/voice-apps/>
    http://www.cisco.com/tacpage/sw-center/telephony/crypto/voice-apps/.

     * Cisco Unity
    Customers should install the Microsoft SQL 2000 Service Pack 2 (SP2) and
    Security Rollup 1 (SRP1) "Q323875_SQL2000_SP2_en.EXE". Both are available
    on the Microsoft website at the following location:
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech8\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37&quot; <br> &qhttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech <br> <p><p>int main(int argc, char *argv[]) <br> { Software is now available on Cisco's website to patch BBSM 5.0 and 5.1.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech <br> <p><p>int main(int argc, char *argv[]) <br> { Software is now available on Cisco's website to patch BBSM 5.0 and 5.1.

     * Cisco Building Broadband Service Manager
    Software is now available on Cisco's website to patch BBSM 5.0 and 5.1.
    Version 5.2 is not vulnerable.

    Before installing the security patch for this vulnerability, customers
    should install MSFIX1 and MSFIX2. Java Runtime 1.3.1 must also be
    installed after MSFIX1, but before MSFIX2.

    Java Runtime 1.3.1_06 is available here:
    <http://java.sun.com/j2se/1.3/download.html>
    http://java.sun.com/j2se/1.3/download.html

    The patch is available at this location:
     <http://www.cisco.com/public/sw-center/sw-netmgmt.shtml>
    http://www.cisco.com/public/sw-center/sw-netmgmt.shtml

    Instructions for installing service patches on BBSM can be found here:
     
    <http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm52/user/use52_05.htm#50416> http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm52/user/use52_05.htm#50416

    Obtaining Fixed Software:
    Where Cisco provides the operating system bundled with the product, Cisco
    is offering free software upgrades to address these vulnerabilities for
    all affected customers. Customers may only install and expect support for
    the feature sets they have purchased.

    Customers with service contracts should contact their regular update
    channels to obtain any software release containing the feature sets they
    have purchased. For most customers with service contracts, this means that
    upgrades should be obtained through the Software Center on Cisco's
    Worldwide Web site at <http://www.cisco.com/tacpage/sw-center/>
    http://www.cisco.com/tacpage/sw-center/.

    Customers whose Cisco products are provided or maintained through a prior
    or existing agreement with third-party support organizations such as Cisco
    Partners, authorized resellers, or service providers should contact that
    support organization for assistance with obtaining the free software
    upgrade(s).

    Customers who purchased directly from Cisco but who do not hold a Cisco
    service contract, and customers who purchase through third party vendors
    but are unsuccessful at obtaining fixed software through their point of
    sale, should obtain fixed software by contacting the Cisco Technical
    Assistance Center (TAC) using the contact information listed below. In
    these cases, customers are entitled to obtain an upgrade to a later
    version of the same release or as indicated by the applicable row in the
    Software Versions and Fixes table (noted above).

    Cisco TAC contacts are as follows:
     * +1 800 553 2447 (toll free from within North America)
     * +1 408 526 7209 (toll call from anywhere in the world)
     * e-mail: tac@cisco.com

    See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
    http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
    TAC contact information, including special localized telephone numbers and
    instructions and e-mail addresses for use in various languages.

    Please have your product serial number available and give the URL of this
    notice as evidence of your entitlement to a free upgrade.

    Please do not contact either "psirt@cisco.com" or
    "security-alert@cisco.com" for software upgrades.

    Workarounds:
    Cisco has published a companion document at
    <http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml>
    http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml that
    provides network-based workarounds to mitigate the effects of these
    vulnerabilities. Cisco also recommends applying the software based fixes
    to affected devices to completely resolve the vulnerability.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:psirt@cisco.com> Cisco
    Systems Product Security Incident Response Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages