__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft SQL Server Remote Data Source Function Contains Unchecked Buffers [Microsoft Security Bulletin MS02-007] February 21, 2002 19:00 GMT Number M-044 ______________________________________________________________________________ PROBLEM: An unchecked buffer exists in the handling of OLE DB provider, which are low-level data source providers, in ad hoc connections. A buffer overrun could occur. PLATFORM: Microsoft SQL Server 7.0 and 2000 DAMAGE: If exploited, an attacker could cause the SQL Server service to fail or cause code to run in the security context of the SQL Server. SOLUTION: Apply available patch ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Exploiting this vulnerability would depend ASSESSMENT: on specific configuration of the SQL Server service. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achive. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-044.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/bulletin/MS02-007.asp PATCHES: http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268 http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-007 *****] Microsoft Security Bulletin MS02-007 SQL Server Remote Data Source Function Contain Unchecked Buffers Originally posted: February 20, 2002 Summary Who should read this bulletin: Database administrators using Microsoft® SQL Server™. Impact of vulnerability: Run code of attacker's choice on server Maximum Severity Rating: Moderate Recommendation: Apply the SQL Server patch immediately to affected systems Affected Software: Microsoft SQL Server 7.0 Microsoft SQL Server 2000 Technical details Technical description: One of the features of Structured Query Language (SQL) in SQL Server 7.0 and 2000 is the ability to connect to remote data sources. One capability of this feature is the ability to use "ad hoc" connections to connect to remote data sources without setting up a linked server for less-often used data-sources. This is made possible through the use of OLE DB providers, which are low-level data source providers. This capability is made possible by invoking the OLE DB provider directly by name in a query to connect to the remote data source. An unchecked buffer exists in the handling of OLE DB provider names in ad hoc connections. A buffer overrun could occur as a result and could be used to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. An attacker could exploit this vulnerability in one of two ways. They could attempt to load and execute a database query that calls one of the affected functions. Conversely, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for an attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. Mitigating factors: The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achieve. Both vectors for exploiting the vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing. Severity Rating: Internet Servers Intranet Servers Client Systems SQL Server 7.0 Moderate Moderate Moderate SQL Server 2000 Moderate Moderate Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. While the vulnerability could potentially allow an attacker to run code on the server, best practices should limit the ability to exploit the vulnerability and the damage that could be achieved by a successful attack. Vulnerability identifier: CAN-2002-0056 Tested Versions: Microsoft tested SQL Server 7.0 and 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch SQL Server 7.0: The patch for this issue is available in the SQL Server 7.0 Cumulative Security patch at http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268 SQL Server 2000: The patch for this issue is available in the SQL Server 2000 Cumulative Security patch at http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 Additional information about this patch Installation platforms: The SQL Server 7.0 patch can be installed on systems running SQL Server 7.0 Service Pack 3. The SQL Server 2000 patch can be installed on systems running SQL Server 2000 Service Pack 2. Inclusion in future service packs: SQL Server 7.0 Service Pack 4 SQL Server 2000 Service Pack 3. Reboot needed: No. The SQL Server service only needs to be restarted after applying the patch. Superseded patches: MS01-060 Verifying patch installation: SQL Server 7.0: To ensure that you have properly installed the fix, run the following command from the command prompt: "SELECT @@VERSION" (without the quotation marks) If the patch has been correctly installed, the resulting output will indicate the version number as "SQL Server 7.00 - 7.00.1021" or greater. To verify the individual files, consult the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article Q317979. SQL Server 2000: To ensure that you have properly installed the fix, run the following command from the command prompt: "SELECT @@VERSION" (without the quotation marks) If the patch has been correctly installed, the resulting output will indicate the version number as "SQL Server 8.00 - 8.00.0578" or greater. To verify the individual files, consult the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article Q317979. Caveats: None Localization: The patches can be applied to all supported SQL Server languages. Localized Readme.txt files are included in the packages for installation instructions in all supported languages. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Support: Microsoft Knowledge Base article Q317979 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 20, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-007 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-034: Window File Wiping Utilities Miss Alternate Data Streams M-035: Red Hat Linux "rsync" Vulnerability M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability M-039: Microsoft Telnet Server Buffer Overflow Vulnerability M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions M-041: Microsoft Internet Explorer Cumulative Patch M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability