This attack could pose a moderate security threat. It does not require immediate action.
This signature detects an attempt to exploit a denial of service vulnerability in MS SQL.
A vulnerability has been discovered in Microsoft SQL Server 2000 that could make it possible for remote attackers to gain access to target hosts.
A problem in the SQL Server Resolution Service makes it possible for a remote user to execute arbitrary code on a vulnerable host. An attacker could exploit a heap-based overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434.
UDP port 1434 is designated as the Microsoft SQL Monitor port. Clients connect to this port to discover how connections to SQL Server should be made. When SQL Server receives a packet that starts with byte 0x08 followed by an overly long string and ending with a ':' and terminated by a number, the heap overflow is triggered. This causes key memory structures necessary for normal operations to be corrupted.
If the packet consists of data not specifically designed to cause code execution, a denial of service may result. It may be possible to custom-craft the exploit code to execute arbitrary instructions in the security context of the SQL Server. This may provide a remote attacker with local access on the underlying host.
On January 25 2003, DeepSight TMS detected a significant increase in UDP traffic destined for port 1434. Port 1434 is associated with Microsoft SQL Server. Initial analysis has suggested the presence of a new worm that is propagating rapidly through hosts running SQL Server.
The worm can use significant amounts of bandwidth. It was originally suspected that this was due to a denial of service attack built into the worm. It has turned out that this is not the case -- the bandwidth consumption is due to aggressive propagation.
At this time it is suspected that the worm may exploit BID 5310 or 5311. This is not yet confirmed.
Administrators are advised to block all external access to database servers until more information is available. Access to TCP and UDP ports 1434 should be denied completely. Additionally, implementing filter rules for other ports may also decrease the chances of compromise through yet unknown avenues. This should be done even if the patch for this particular vulnerability has been installed.
Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3.
- Microsoft Data Engine 2000
- Microsoft SQL Server 2000 SP1, SP2
- Veritas Software Backup Exec for Windows Servers 9.0