The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sat, 25 Jan 2003 12:30:00 -0800 (PST)
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com.>
To: [email protected]
Subject: Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations

Revision 1.0 For Public Release 2003 January 25 14:00:00 UTC - ------------------------------------------------------------------------------- Contents ======== Summary Details Symptoms Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures - ------------------------------------------------------------------------------- Summary ======= Cisco customers are currently experiencing attacks due to a new worm that has hit the Internet. The signature of this worm appears to be high volumes of UDP traffic to port 1434. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com At the time of this notice there is no definitive analysis of the worm. Details ======= UDP port 1433 and 1434 are used for SQL server traffic. A new worm has been targeting port 1434 and attempting to exploit a buffer overflow vulnerability in Microsoft's SQL server. We have received reports that the worm targets port 1433 as well, however this is unverified at this time. Microsoft has issued a security advisory about this issue, the details are here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-039.asp leaving cisco.com For infected servers, MS recommends downloading Service Pack 3 for SqlSvr, located here: http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN&LN=en-us&gssnb=1 leaving cisco.com Symptoms ======== You may see instability in networks due to increased load. The traffic load generated by this DoS is very high. Workarounds =========== Thus far the best mitigation is to block inbound and outbound traffic destined to UDP port 1434. Care must be taken in regards to the impact on mission critical services as 1434/udp and 1433/udp are used by Microsoft SQL Server. Before blocking traffic to these ports completely make sure that the possible effects on your network are understood. Note: These workarounds block both ports 1433 and 1434, although we have received no evidence yet that blocking port 1433 has any affect on the attack. If your network requires traffic to flow on port 1433 please leave that portion of the ACL out and monitor your results closely. VACL on the 6500 To configure: set security acl ip WORM deny udp any eq 1434 any set security acl ip WORM deny udp any any eq 1434 set security acl ip WORM deny udp any eq 1433 any set security acl ip WORM deny udp any any eq 1433 set security acl ip WORM permit any commit security acl WORM set security acl map WORM <vlan> Set port to vlan based: set port qos <mod/port> vlan-based To verify: show security acl info all To remove: clear security acl WORM commit security acl WORM ACL for IOS Note: Log statement removed due to load issues on the router. If you are trying to track source addresses, use NetFlow. access-list 115 deny udp any any eq 1433 access-list 115 deny udp any any eq 1434 access-list 115 permit ip any any int <interface> ip access-group 115 in ip access-group 115 out Exploitation and Public Announcements
This issue is being exploited actively and has been discussed in numerous public announcements and messages. References include: * http://www.cert.org/advisories/CA-2003-04.html leaving cisco.com * http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com Status of This Notice: INTERIM
This is an interim notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates issuing updated versions of this notice when there is material change in the facts. Distribution ============ This notice will be posted on Cisco's worldwide website at http://www.cisco.com /warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * [email protected] * [email protected] * [email protected] * [email protected] (includes CERT/CC) * [email protected] * [email protected] * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's worldwide web Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History ================ +---------------------------------------------------------------------------+ |Revision |25-January-2003|Initial public release. | |1.0 | | | +---------------------------------------------------------------------------+ Cisco Security Procedures
If you have any new information that would be of use to us, please send email to [email protected]. Information regarding strategies for protecting against Distributed Denial of Service attacks may be found at http://www.cisco.com/warp /public/707/newsflash.html . Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt/. - ------------------------------------------------------------------------------- This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBPjLvSJPS/wbyNnWcEQJfkACbBvRVSNVIGPrVNbUFa36ljgskecIAn1lQ NKkVnPmOjGcau3OjeIudkzyh =KxPU -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру