Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft SQL Server 'sp_replwritetovarbin' Stored Procedure Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2008-189
Date Published:
Severity:
Last Updated:
Source: Secunia Advisory: SA33034
Industry Reference(s): CVE-2008-5416
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
VSX
  • NGX R65
InterSpect
  • NGX
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft SQL Server 2000
Microsoft SQL Server 2005
Vulnerability Description
A buffer overflow vulnerability has been reported in Microsoft SQL Server. Microsoft SQL Server is a relational database management system (RDBMS). By sending a specially crafted SQL script to a target server, a remote attacker may trigger this vulnerability to execute arbitrary code on the affected system.
Vulnerability Details
The vulnerability is due to an error in the Microsoft SQL Server when calling the extended stored procedure sp_replwritetovarbin with a set of crafted parameters. To exploit this issue, an attacker may create a malicious script and send it to a target server, triggering memory overwrite. Successful exploitation would cause a denial of service and may allow execution of arbitrary code on a vulnerable system.

Protection Overview
By enabling this protection, SmartDefense will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-SQL.
2. Select the following protection:

MS-SQL Server sp_replwritetovarbin Stored Procedure Buffer Overflow

3. In the configuration pane, under Settings > Mode, check Active.
4. The default port for MS-RPC is TCP 1433. In order to configure the protection to run on a different port, click on Application Intelligence > MS-SQL > MS-SQL Server protocol. In the configuration pane, choose the desired "MS-SQL Server Port".
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Microsoft SQL Server Protection Violation
Attack Information: MS-SQL server sp_replwritetovarbin stored procedure buffer overflow

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-SQL.
2. Select the following:

MS-SQL Server sp_replwritetovarbin Stored Procedure Buffer Overflow

3. The default port for MS-RPC is TCP 1433. In order to configure the protection to run on a different port, click on Application Intelligence > MS-SQL > MS-SQL Server protocol. In the configuration pane, choose the desired "MS-SQL Server Port".
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Microsoft SQL Server Protection Violation
Attack Information: MS-SQL server sp_replwritetovarbin stored procedure buffer overflow

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-SQL.
2. Select the following protection:

MS-SQL Server sp_replwritetovarbin Stored Procedure Buffer Overflow

3. In the configuration pane, under Settings > Mode, check Active.
4. The default port for MS-RPC is TCP 1433. In order to configure the protection to run on a different port, click on Application Intelligence > MS-SQL > MS-SQL Server protocol. In the configuration pane, choose the desired "MS-SQL Server Port".
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Microsoft SQL Server Protection Violation
Attack Information: MS-SQL server sp_replwritetovarbin stored procedure buffer overflow

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > MS-SQL.
3. Select the following:

MS-SQL Server sp_replwritetovarbin Stored Procedure Buffer Overflow

4. The default port for MS-RPC is TCP 1433. In order to configure the protection to run on a different port, click on Application Intelligence > MS-SQL > MS-SQL Server protocol. In the configuration pane, choose the desired "MS-SQL Server Port".
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Microsoft SQL Server Protection Violation
Attack Information: MS-SQL server sp_replwritetovarbin stored procedure buffer overflow

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > MS SQL, and select the SqlServer2000 protection group. 3. Click Mssql Stored Procedure Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

Alert Name: Sqlserver 2k overflow detector
Description: Mssql Stored Procedure Buffer Overflow