Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft SQL Server Protections

Attack ID: CPAI-2004-03
Publish Date:
Last Update:
Category: Remote Code Execution, Denial of Service, Information gathering
Vulnerable Systems: Microsoft SQL Server 2000
Source: NGSSoftware
Description: Researchers at NGSSoftware have found multiple vulnerabilities in Microsoft's SQL server and SQL monitor service, which a potential attacker may exploit. These vulnerabilities give a malicious user the ability to run forbidden processes on the remote server or cause the server to reveal critical data, which may lead to the launch of other attacks.
Severity:
  By taking advantage of the discovered vulnerabilities, a malicious individual may launch a combined attack against a vulnerable SQL server, causing it to execute forbidden processes, execute arbitrary code which may result in gaining control over the server, cause a ping storm which may cause Denial of Service or cause the server to reveal information about itself.
Details:

The latest SmartDefense update provides protection against vulnerabilities in the UDP based Microsoft SQL Server 'monitor' service, including buffer overflows and heap overruns that were already exploited by worms such as the 'Slammer' worm. In addition, protection is given against an attack where an attacker can send spoof packets that may cause a packet storm in the network, causing a denial of service effect.

The update also provides several protections for the TCP based Microsoft SQL Server 'server' service, including blocking of command execution via 'xp_cmdshell' and 'sp_start_job' SQL commands. In addition, it provides protection against a common mis-configuration – a 'SA' administrator with no password – which is the default in many SQL Server installations.

This update replaces and enhances CPSA-2003-09 [MS-SQL 2000 server protection] and is intended for FireWall-1 NG with Application Intelligence (R55) and InterSpect.

Attack Detection:

Using SmartView Tracker, users of VPN-1 NG with application Intelligence R55 and later versions can identify attacks attempts to execute illegal procedure commands or received packets containing illegal strings. The following logging entries will be received:

Users of R55W and InterSpect:

Attack Name: MS-SQL Monitor Protocol Enforcement Violation
Attack Information may vary according to the attack vector:

  • Slammer Buffer Overflow Based Attack Detected on Connection
  • Version Information Leak Detected on Connection
  • Heap Overflow Based Attack Detected on Connection
  • Heap Overflow Based Attack Detected on Connection
  • Network Denial of Service Based Attack Detected on Connection

Attack Name: MS-SQL Server Protocol Enforcement Violation
Attack Information may vary according to the attack vector:

  • Unsupported Enforcement Module Version, or Malformed Packet
  • xp_cmdshell Command Detected on Connection
  • sp_start_job Command Detected on Connection
  • Login Attepmt With Blank Password Detected on Connection
  • Login Packet Too Short Detected on Connection
  • NTLM Authentication Packet Error Detected on Connection
  • Only Windows Authentication is Allowed
  • Login Packet Too Long Detected on Connection
  • Pre-Authentication Buffer Overflow Detected

    Users of R55 will receive the following rules:
  • Rule 6991 – buffer overflow based attack (such as the Slammer worm)
  • Rule 6992 – version information leak
  • Rule 6993 – Heap overflow based attack
  • Rule 6994 – Network denial of service attack
  • Rule 6996 - Unsupported enforcement module version, or malformed packet
  • Rule 6997 – sp_start_job command has been executed
  • Rule 6998 – xp_cmdshell has been executed
  • Rule 6999 – A 'SA' administrator login attempt with blank password
  • Rule 6995 - Pre-authentication buffer overflow detected

MS-SQL monitor UDP traffic containing illegal packets would be blocked according to the rule which allows UDP traffic at port 1434. For example: If rule number 3 allows traffic with the defined service MS_SQL_Monitor_SD, then illegal packets would be dropped and logged according to rule number 3. This applies also for the TCP packets of the MS-SQL server protocol traffic, at port 1433.

Solution:

Users of FireWall-1 NG with Application Intelligence R55, R55W and InterSpect can protect their Microsoft SQL Server 2000 servers against the described vulnerabilities by performing an update to the latest SmartDefense update.

Users of VPN-1 NG with Application Intelligence R55, and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window.

Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window.

The update will create new dynamic attack items in the SmartDefense tab, named 'MS-SQL Monitor protocol' and 'MS-SQL Server protocol', in which the different protections can be configured:

  • Monitor Only – no protection will not block the attack, but produce a log only (if logging was enabled)
  • Match on 'Any' option will block the attacks on rules with 'Any' as their service – so there's no need to specifically define services for this protection.

For greater granularity, use the services that are defined as part of the update in the rulebase.

The newly defined services are MS-SQL-Monitor_SD and MS-SQL-Server_SD

NOTE: This security enhancement is designed for use with FireWall-1 NG with Application Intelligence (R55) and InterSpect. Installing the above rules on modules with prior versions will result in MS-SQL traffic being blocked completely.

Industry Reference:
Additional Information: CPSA-2003-09