Date: 27 January 2003
References: AU-2003.002 ESB-2003.0056 ESB-2003.0057
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0058 -- Cisco Security Advisory
MS SQL "Sapphire" Worm Mitigation Recommendations
27 January 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Vendor: Cisco Systems
Ref: AU-2003.002
ESB-2003.0057
ESB-2003.0056
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations
==============================================================================
Revision 1.0
For Public Release 2003 January 25 14:00:00 UTC
- - -------------------------------------------------------------------------------
Contents
========
Summary
Details
Symptoms
Workarounds
Exploitation and Public Announcements
Status of This Notice
Distribution
Revision History
Cisco Security Procedures
- - -------------------------------------------------------------------------------
Summary
=======
Cisco customers are currently experiencing attacks due to a new worm that has
hit the Internet. The signature of this worm appears to be high volumes of UDP
traffic to port 1434. Affected customers have been experiencing high volumes of
traffic from both internal and external systems. Symptoms on Cisco devices
include, but are not limited to high CPU and traffic drops on the input
interfaces.
http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com
At the time of this notice there is no definitive analysis of the worm.
Details
=======
UDP port 1433 and 1434 are used for SQL server traffic. A new worm has been
targeting port 1434 and attempting to exploit a buffer overflow vulnerability
in Microsoft's SQL server. We have received reports that the worm targets port
1433 as well, however this is unverified at this time.
Microsoft has issued a security advisory about this issue, the details are
here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp leaving cisco.com
For infected servers, MS recommends downloading Service Pack 3 for SqlSvr,
located here:
http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN&LN=en-us&gssnb=1
leaving cisco.com
Symptoms
========
You may see instability in networks due to increased load. The traffic load
generated by this DoS is very high.
Workarounds
===========
Thus far the best mitigation is to block inbound and outbound traffic destined
to UDP port 1434. Care must be taken in regards to the impact on mission
critical services as 1434/udp and 1433/udp are used by Microsoft SQL Server.
Before blocking traffic to these ports completely make sure that the possible
effects on your network are understood.
Note: These workarounds block both ports 1433 and 1434, although we have
received no evidence yet that blocking port 1433 has any affect on the attack.
If your network requires traffic to flow on port 1433 please leave that portion
of the ACL out and monitor your results closely.
VACL on the 6500
To configure:
set security acl ip WORM deny udp any eq 1434 any
set security acl ip WORM deny udp any any eq 1434
set security acl ip WORM deny udp any eq 1433 any
set security acl ip WORM deny udp any any eq 1433
set security acl ip WORM permit any
commit security acl WORM
set security acl map WORM <vlan>
Set port to vlan based:
set port qos <mod/port> vlan-based
To verify:
show security acl info all
To remove:
clear security acl WORM
commit security acl WORM
ACL for IOS
Note: Log statement removed due to load issues on the router. If you are trying
to track source addresses, use NetFlow.
access-list 115 deny udp any any eq 1433
access-list 115 deny udp any any eq 1434
access-list 115 permit ip any any
int <interface>
ip access-group 115 in
ip access-group 115 out
Exploitation and Public Announcements
=====================================
This issue is being exploited actively and has been discussed in numerous
public announcements and messages. References include:
* http://www.cert.org/advisories/CA-2003-04.html leaving cisco.com
* http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com
Status of This Notice: INTERIM
==============================
This is an interim notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the facts have been checked to the best of
our ability. Cisco anticipates issuing updated versions of this notice when
there is material change in the facts.
Distribution
============
This notice will be posted on Cisco's worldwide website at http://www.cisco.com
/warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web
posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP
key and is posted to the following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* full-disclosure@lists.netsys.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's worldwide web
Users concerned about this problem are encouraged to check the URL given above
for any updates.
Revision History
================
+---------------------------------------------------------------------------+
|Revision |25-January-2003|Initial public release. |
|1.0 | | |
+---------------------------------------------------------------------------+
Cisco Security Procedures
=========================
If you have any new information that would be of use to us, please send email
to psirt@cisco.com. Information regarding strategies for protecting against
Distributed Denial of Service attacks may be found at http://www.cisco.com/warp
/public/707/newsflash.html .
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco security notices. All Cisco
Security Advisories are available at http://www.cisco.com/go/psirt/.
- - -------------------------------------------------------------------------------
This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and include all
date and version information.
- - -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBPjLvSJPS/wbyNnWcEQJfkACbBvRVSNVIGPrVNbUFa36ljgskecIAn1lQ
NKkVnPmOjGcau3OjeIudkzyh
=KxPU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPjVCryh9+71yA2DNAQGipAP/ea+X10TlNYlK4jnUneWDDcORUKx+nzlW
VQd3go0zHJ9XLmvR/PbClGaSs5zv+B6ldyMySYr87noy2cx8VXUkehGE3osQOlv5
QQZZiqO5FcArxc2GJdd9rMTbgyMHpPjnpBU8UoZtqkrYFV0HbaUttiMc+ElIF5PS
1NbOWQezlzw=
=Wfve
-----END PGP SIGNATURE-----
|