Download Sql Slammer Patch Microsoft

Download Sql Slammer Patch Microsoft Office
Download Sql Slammer Patch Microsoft Office 2010

Patch management took center stage earlier this year following the SQL Slammer worm, which spread quickly by exploiting a known vulnerability in Microsoft SQL Server 2000. Microsoft had released a. Sql Slammer free download - SQL Developer, Microsoft SQL Server 2008 Express (32-bit), SQL Server 7.0 Service Pack 4, and many more programs.

-->

Security Bulletin

Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)

Published: July 24, 2002 | Updated: January 31, 2003

Version: 1.2

Originally posted: July 24, 2002

Updated: January 31, 2003

Summary

Who should read this bulletin:System administrators using Microsoft® SQL Server™ 2000 and Microsoft Desktop Engine 2000.

Impact of vulnerability:Three vulnerabilities, the most serious of which could enable an attacker to gain control over an affected server.

Maximum Severity Rating:Critical

Recommendation:System administrators should install the patch immediately.

Note: The patch released with this bulletin is effective in protecting SQL Server 2000 and MSDE 2000 against the 'SQL Slammer' worm virus. However, this patch has been superseded by the patch released with MS02-061 which contains fixes for additional security vulnerabilities in these products. Microsoft recommends that SQL 2000 and MSDE 2000 customers apply the patch from MS02-061.

Affected Software:

Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000

General Information

Technical details

Technical description:

This security patch does not contain a patch from Microsoft Knowledge Base Article 317748 that is required to ensure normal operation of SQL Server 2000 and MSDE 2000. If you have applied this security patch to a SQL Server 2000 or MSDE 2000 installation prior to applying the hotfix from Microsoft Knowledge Patch article 317748, you must answer 'no' if and when prompted to overwrite files to ensure that you do not overwrite files from the security patch.

SQL Server 2000 and MSDE 2000 introduce the ability to host multiple instances of SQL Server on a single physical machine. Each instance operates for all intents and purposes as though it was a separate server. However, the multiple instances cannot all use the standard SQL Server session port (TCP 1433). While the default instance listens on TCP port 1433, named instances listen on any port assigned to them. The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.

There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service.

The third vulnerability is a denial of service vulnerability. SQL uses a keep-alive mechanism to distinguish between active and passive instances. It is possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges. This would consume resources on both systems, slowing performance considerably.

Mitigating factors:

Buffer Overruns in SQL Server Resolution Service:

SQL Server 2000 runs in a security context chosen by the administrator at installation time. By default, it runs as a Domain User. Thus, although the attacker's code could take any desired action on the database, it would not necessarily have significant privileges at the operating system level if best practices have been followed.
The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall.

Denial of Service via SQL Server Resolution Service:

An attack could be broken off by restarting the SQL Server 2000 service on either of the affected systems. Normal processing on both systems would resume once the attack ceased.
The vulnerability provides no way to gain any privileges on the system. It is a denial of service vulnerability only.

Severity Rating:

Buffer Overruns in SQL Server Resolution Service:	Internet Servers	Intranet Servers	Client Systems
SQL Server 2000	Critical	Critical	None

Denial of Service via SQL Server Resolution Service:	Internet Servers	Intranet Servers	Client Systems
SQL Server 2000	Critical	Critical	None

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier:

Buffer Overruns in SQL Server Resolution Service: CVE-CAN-2002-0649
Denial of Service via SQL Server Resolution Service: CVE-CAN-2002-0650

Tested Versions:

Microsoft tested SQL Server 2000 and 7.0 (and their associated versions of MSDE) to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What is the correct order for installing this patch in conjunction with the hotfix discussed in317748?
This security patch does not contain a patch from Knowledge Base Article 317748 that is required to ensure normal operation of SQL Server 2000 and MSDE 2000. The correct order of installation is to install the 317748 patch and then this security patch. If you have applied this security patch to a SQL Server 2000 or MSDE 2000 installation prior to applying the hotfix from Knowledge Patch article 317748, you must answer 'no' if and when prompted to overwrite files to ensure that you do not overwrite files from the security patch.

How do I check I've got this security patch installed?
You should verify that the version of ssnetlib.dll in the MSSQLBINN folder for the instance you applied the patch for is: 2000.80.636.0If the version of the ssnetlib.dll in the MSSSQLBINN folder is less than 2000.80.636.0, then you will need to re-apply the security patch. However Microsoft recommends that you apply the latest security patch as described in MS02-061 since this contains fixes for additional security vulnerabilities in these products.

What vulnerabilities does this patch eliminate?
This patch eliminates three vulnerabilities, both involving the SQL Server 2000 Resolution Service:

The first two vulnerabilities could enable an attacker to gain significant, and perhaps complete, control over an affected SQL Server.
The third vulnerability could enable an attacker to cause two affected SQL Servers to engage a never-ending information exchange, for the purpose of slowing the performance of the servers.

What is the SQL Server 2000 Resolution Service?
SQL Server 2000 introduces the ability to install multiple copies of SQL Server on a single machine and have it appear that the copies are completely separate database servers. These copies, known as instances, run independently of each other. The default instance listens on TCP port 1433. Other instances cannot share this same port and require a port of their own.The challenge is how to enable SQL Server clients to find the port that a particular instance is operating on; the solution is the SQL Server Resolution Service. The first instance on a SQL Server always operates over port 1433. Additional instances are allocated their own port numbers dynamically. When a SQL client needs to connect to an additional instance on the SQL Server, it queries the SQL Server Resolution Service (which operates on UDP port 1434), which tells it which port the requested instance is using.

Is the UDP 1434 port typically blocked at the firewall?
It depends on the particular deployment scenario.

If a network doesn't host any Internet-connected SQL Servers, the port associated with the SQL Server Resolution Service (and all other ports associated with SQL Server) should be blocked.
If a network offers SQL Server services to the Internet but there's only a single instance on the server, the SQL Resolution Service can and should be blocked.
If a network offers SQL Server services to the Internet and has more than one instance, the SQL Resolution Service must be accessible through the firewall.

Does the SQL Server Resolution Service exist on previous versions of SQL Server?
No. Previous versions of SQL Server didn't support multiple instances, and the SQL Server Resolution Service didn't exist. As a result, no other versions of SQL Server are affected by the vulnerabilities.

The Affected Versions section says that Microsoft Desktop Engine (MSDE) is also affected by these vulnerabilities. What is MSDE?
MSDE is a database engine that's built and based on SQL Server 2000 technology, and which ships as part of several Microsoft products, including Microsoft Visual Studio and Microsoft Office Developer Edition. There is a direct connection between versions of MSDE and versions of SQL Server. MSDE 2000 is based on SQL Server 2000.

Buffer Overruns in SQL Server Resolution Service (CVE-CAN-2002-0649):

What's the scope of this vulnerability?
There are actually two vulnerabilities here, both of which are buffer overrun vulnerabilities. An attacker who successfully exploited either vulnerability could gain the ability to cause the server to fail, or to run code using the privileges of the SQL Server.Although exploiting the vulnerabilities would grant the attacker full control over the database, it would not necessarily convey full control over the system itself. SQL Server 2000 can be configured to run with varying levels of privilege; by default, it runs with the privileges of a domain user, rather than an administrator.

What causes the vulnerabilities?
The vulnerabilities result because a pair of function offered by the SQL Server Resolution Service contain unchecked buffers. By sending a specially formatted request to UDP 1434 port, it could be possible to overrun the buffers associated with either of the functions.

What would this vulnerability enable an attacker to do?
The vulnerability could enable an attacker to take either of two actions:

Cause SQL Server to fail. This would be the easiest type of attack to mount, and would require only that the attacker overrun the buffer with random data.
Modify the functioning of SQL Server, in order to perform functions of the attacker's choosing. This would require that the attacker overrun the buffer with precisely chosen data.

Who could exploit the vulnerability?
Any user who could deliver a request to the SQL Server (over UDP port 1434) on an affected server could exploit the vulnerability.

If the attacker exploited the vulnerability to cause SQL Server to fail, what would the administrator need to do in order to restore normal operation?
The administrator could resume normal operation by restarting the SQL Server service.

If the attacker exploited the vulnerability to cause SQL Server to perform functions of his choice, what privileges would the attacker's code run in?
Clearly, the attacker's code would have full control over the database functions, since it would run in the security context of SQL Server itself. But it might have few privileges outside of SQL Server. During SQL Server 2000 setup, the administrator must choose what Windows account SQL Server should run within. By default, the SQL Server service runs as a Domain User. If best practices were followed and a normal user context was chosen, the attacker would not gain administrative control over the operating system, nor administrative privileges over the domain.

How does the patch eliminate the vulnerabilities?
The patch ensures that the SQL Server Resolution Service correctly limits the size of input data and prevents it from overrunning any of its buffers.

Denial of Service via SQL Server Resolution Service (CVE-CAN-2002-0650):

What's the scope of this vulnerability?
This is a denial of service vulnerability. An attacker could use the vulnerability to slow the performance of an affected SQL Server. The precise amount by which the system's performance would be slowed would depend on a number of factors, such as the processor speed and memory on the SQL Server, the number of systems attacking the server, and so forth.The vulnerability could not be used to cause the server to fail altogether, nor would it provide the attacker with any privileges on the system. The server would resume normal operation as soon as the attack was broken off.

What causes the vulnerability?
The vulnerability results because of a flaw in the SQL Server 2000 keep-alive mechanism,which operates via the Resolution Service. If a particular data packet is sent to the SQL Server 2000 keep-alive function, it will reply to the sender with an identical packet. By spoofing the source address of such a packet, it would be possible to cause two SQL Server 2000 systems to start an endless cycle of packet exchanges.

What's the keep-alive function in SQL Server 2000?
SQL Server 2000 includes a mechanism by which it can determine whether a server is active or not. It does this by sending a so-called keep-alive packet to the SQL Server Resolution Service on UDP port 1434 and listening for a reply.

What's wrong with the implementation of the keep-alive function in SQL Server 2000?
It's possible to create a keep-alive packet whose response will be identical to the request. If one SQL Server were to send such a packet to another SQL Server, they would enter an unending cycle of sending the same packet back and forth to each other. This activity could consume most or all of the available bandwidth on the two machines.

Could this situation occur naturally?
No. The situation involved in the vulnerability could not occur under normal conditions. SQL Server does not normally generate a keep-alive packet with the needed characteristics. However, it could be possible for an attacker to introduce such a packet in order to initiate an exchange, which would thereafter be self-sustaining.

How might an attacker do this?
Suppose there were two SQL Servers with the vulnerability, Server 1 and Server 2. Now suppose the attacker created the needed keep-alive packet and modified the source address so that it contained Server 1's address, then sent the packet to Server 2. This would initiate the exchange, because Server 2 would reply to Server 1, which would reply to Server 2, ad infinitum.

What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability to consume resources on two SQL Server 2000 systems at the same time.

Who could exploit the vulnerability?
Any user who could send data to an affected SQL Server's Resolution Service port could exploit the vulnerability.

How long would an attack last?
Once started, an attack would continue until one of the machines stopped sending packets. This could happen because the system had been rebooted, the SQL Server service had been restarted, or connectivity between the two servers had been lost.

Once the attack was over, would the server resume normal operation by itself?
Yes.

How much of a system's resources could be monopolized through such an attack?
It would depend on the specifics of the attack. For instance, it would be possible to engage multiple servers in an attack against a single one. Likewise, it would depend on the network bandwidth between the systems, the processor speed on the respective machines, and so forth.

How does the patch eliminate the vulnerability?
The patch eliminates the current keep-alive mechanism, and determines which servers are active and which are passive via a different mechanism. After applying the patch, a SQL Server 2000 system will no longer respond to keep-alive packets.

Patch availability

Download locations for this patch

Microsoft SQL Server 2000 and MSDE 2000:

Additional information about this patch

Installation platforms:

This patch can be installed on systems running SQL Server 2000 Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in SQL Server 2000 Service Pack 3.

Reboot needed: No. The SQL Server service only needs to be restarted after applying the patch.

Patch can be uninstalled: Yes.

Superseded patches: None.

Verifying patch installation:

To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article Q323875.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in 'Patch Availability'.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for 'security_patch'.
Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks David Litchfield of Next Generation Security Software Ltd. for reporting these issues to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article Q323875 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided 'as is' without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (July 24, 2002): Bulletin Created.
V1.1 (July 25, 2002): Updated to note that MSDE 2000 is affected by the vulnerabilities.
V1.2 (January 31, 2003): Updated to advise of supercedence by MS02-061 and clarify installation order when Hotfix 317748 is applied in conjunction with this security patch.

Built at 2014-04-18T13:49:36Z-07:00

From MS:

This Para is below and important to note:

PLEASE NOTE: The security patches described in MS02-039, MS02-043, MS02-056 and the original release of the security patch described in MS02-061 (released on October 16, 2002) do not contain the Q317748 QFE fix that was subsequently discovered to be required to ensure normal operation of SQL Server. If you have applied any of these security patches and decide to apply the patch from Knowledge Base article Q317748 you must answer 'no' if prompted to overwrite files to ensure that you do not overwrite files from the security patch. The re-released security patch for Microsoft Security Bulletin Ms02-061 (released on January 26, 2003) includes the Q317748 QFE fix, and if you have installed this re-released patch, no action is required.

Full Alert:

PSS Security Response Team Alert - Update3: W32.Slammer

UPDATED: January 31, 2003

SEVERITY: IMPORTANT

DATE: January 31, 2003

PRODUCTS AFFECTED: SQL Server 2000 Evaluation Edition, SQL Server 2000 RTM, SQL Server 2000 SP1, SQL Server 2000 SP2, and Microsoft SQL Server Desktop Engine Version (MSDE) 2000 RTM, MSDE 2000 SP1, MSDE 2000 SP2, and all applications that install MSDE 2000 RTM, SP1 or SP2. A list is provided in the following link:

WHAT IS IT?

The PSS Security Response Team is issuing this alert to inform customers about the W32.Slammer worm, which is currently spreading in the wild. You are not at risk unless you are running one of the above listed products, including any Microsoft products that include and install MSDE 2000. Customers are advised to review this information and take the appropriate action for their environments.

This alert is primarily focused at business customers.

IMPACT OF ATTACK: Denial of Service

TECHNICAL DETAILS:

W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE 2000 that have not applied the patch released by Microsoft Security Bulletin MS02-039. This bulletin was first available on July 24, 2002.

This worm is designed to propagate, but does not appear to contain any additional payload.

Please contact your Antivirus Vendor for additional details on this worm.

PREVENTION:

This worm utilizes a previously-announced vulnerability as part of its infection method. The vulnerability used by the worm to infect machines is discussed at:

Depending on which product customers are using there may be different methods Microsoft recommends to secure your product. These are listed below:

Microsoft SQL Server 2000 Evaluation Edition, RTM and SP1 or MSDE 2000 RTM and SP1:

In this configuration Microsoft recommends that customers secure their machines against the W32.Slammer virus using the SQL Server 2000 Security Tools. Information on these tools can be found here:

However, Microsoft strongly recommends that customers upgrade to SQL Server 2000 Service Pack 3 or MSDE 2000 SP3 as soon as possible. Information on Service Pack 3 can be found here:

SQL Server 2000 SP2 or MSDE 2000 SP2:

If a customer has previously successfully installed Microsoft Security Bulletin MS02-039, MS02-043, MS02-056, or MS02-061 they are not vulnerable to infection from the W32.Slammer worm.

If customers have not successfully applied the patches from any of above mentioned security bulletins then Microsoft recommends customers take one of two actions:

Microsoft strongly recommends that customers consider upgrading to SQL Server 2000 Service Pack 3 which contains all the latest fixes for SQL Server 2000. As always, customers should thoroughly test SP3 before installation. Customers using MSDE 2000 should consult this page for instructions on how to upgrade their particular versions of MSDE 2000:

(Microsoft is updating this page with instructions for each application as they are provided for each product listed)

Install the most recent cumulative security patch for SQL Server 2000 which is Microsoft Security Bulletin MS02-061 (which will also patch MSDE 2000), and which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS02-039. MS02-061 can be found at:

Due to support issues with certain configurations, customers should install the patch for Microsoft Security Bulletin MS02-061 using the following instructions:

If you are running Windows NT 4.0 Server Service Pack 6a install the patch referenced in Microsoft Knowledgebase Q258437, the Microsoft Knowledge Base can be found at http://support.microsoft.com

Install the security patch associated with Microsoft Security Bulletin MS02-061.

Users can verify installation of this patch by verifying the following files are at version 8.00.568:

ssmslpcn.dll

dbmslpcn.dll

The following file should be at version 8.00.679:

ssnetlib.dll

Automated Deployment of Microsoft Security Bulletin MS02-061:

Customers wishing to automate the deployment of Microsoft Security Bulletin MS02-061 should consider using the SQL Server 2000 Security Tools. Information on these tools can be found here:

If you cannot apply any of these patches immediately, the following options can limit propagation of the worm:

Block UDP port 1434 inbound and outbound traffic at your firewalls.

You may also block UDP port 1434 inbound traffic on your SQL Server 2000 Servers or MSDE 2000. Following this instruction may result in support issues as this port performs name resolution.

RECOVERY:

Microsoft recommends customers infected by W32.Slammer utilize one of the following methods to remove the worm from the infected machines:

Automated Removal:

SQL Server 2000 Security Tools can remove the virus from an infected machine and patch it against future infection. Information on these tools can be found here:

Manual Removal:

Set the SQL Server Service to Manual.

Reboot the infected machine.

Follow the instructions above in the PREVENTION section regarding how to patch your machine given a particular scenario.

Set the SQL Server Service to Automatic.

If you need further assistance regarding this worm, please contact Microsoft Product Support Services, or your preferred antivirus vendor.

Download Sql Slammer Patch Microsoft Office

Customers using .NET Framework SDK version 1.0 should follow the instructions in the following Knowledge Base Article to upgrade .NET Framework SDK version 1.0 to MSDE SP3

As always, please make sure to enable a firewall and use the latest Anti-Virus detection from your Anti-Virus vendor to prevent and detect new viruses and their variants.

If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.

PSS Security Response Team

Steve Jones

Download Sql Slammer Patch Microsoft Office 2010

Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com

Foxflash111