[SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Servidor SQL
Daniela Regina Barbetti
daniela em ccuec.unicamp.br
Seg Fev 25 11:24:47 -03 2002
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade remota no Servidor SQL
To: <rnp-alerta em cais.rnp.br>, <rnp-seg em cais.rnp.br>
Date: Fri, 22 Feb 2002 15:10:48 -0300 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin
MS02-007, relacionado `a capacidade do SQL em realizar conexoes remotas.
A vulnerabilidade identificada permite a um atacante causar uma
interrupcao no SQL Server ou mesmo conseguir que codigo malicioso seja
executado no servidor.
Sistemas Afetados:
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Correcoes disponiveis:
. SQL Server 7.0:
http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268
. SQL Server 2000:
http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333
Identificador do CVE:
CAN-2002-0056 (http://cve.mitre.org)
Maiores informacoes:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp
O CAIS recomenda fortemente aos administradores de sistemas Windows que
atualizem seus sistemas em virtude da gravidade desta vulnerabilidade.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################
- ----------------------------------------------------------------------
Title: SQL Server Remote Data Source Function Contain
Unchecked Buffers
Date: 20 February 2002
Software: Microsoft SQL Server
Impact: Run code of attacker's choice on server
Max Risk: Moderate
Bulletin: MS02-007
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp.
- ----------------------------------------------------------------------
Issue:
======
One of the features of Structured Query Language (SQL) in
SQL Server 7.0 and 2000 is the ability to connect to remote data
sources. One capability of this feature is the ability to use
"ad hoc" connections to connect to remote data sources without
setting up a linked server for less-often used data-sources. This
is made possible through the use of OLE DB providers, which are
low-level data source providers. This capability is made possible
by invoking the OLE DB provider directly by name in a query to
connect to the remote data source.
An unchecked buffer exists in the handling of OLE DB provider names
in ad hoc connections. A buffer overrun could occur as a result and
could be used to either cause the SQL Server service to fail, or to
cause code to run in the security context of the SQL Server.
SQL Server can be configured to run in various security contexts,
and by default runs as a domain user. The precise privileges the
attacker could gain would depend on the specific security context
that the service runs in.
An attacker could exploit this vulnerability in one of two ways.
They could attempt to load and execute a database query that calls
one of the affected functions. Conversely, if a web-site or other
database front-end were configured to access and process arbitrary
queries, it could be possible for an attacker to provide inputs that
would cause the query to call one of the functions in question
with the appropriate malformed parameters.
Mitigating Factors:
====================
- The effect of exploiting the vulnerability would depend on the
specific configuration of the SQL Server service. SQL Server
can be configured to run in a security context chosen by the
administrator. By default, this context is as a domain user.
If the rule of least privilege has been followed, it would
minimize the amount of damage an attacker could achieve.
- Both vectors for exploiting the vulnerability could be blocked
by following best practices. Specifically, untrusted users
should not be able to load and execute queries of their choice
on a database server. In addition, publicly accessible database
queries should filter all inputs prior to processing.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-007.asp
for information on obtaining this patch.
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
*******************************************************************
You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
To cancel your subscription, click on the following link mailto:1_26065_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.
To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26065_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
- ------------ Output from pgp ------------
Good signature made 2002-02-21 00:59 GMT by key:
2048 bits, Key ID 3103F52B, Created 2000-01-22
"Microsoft Security Response Center <secure em microsoft.com>"
WARNING: The signing key is not trusted to belong to:
Microsoft Security Response Center <secure em microsoft.com>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBPHaJ2+kli63F4U8VAQFWzwQAmHlZGSC8h135q4Ld3Oq3Hx/A2cqsE3WK
/uJ3DQlDa1THyVvSlPihL9QkhN5rFhjgqDVyo0sllFYj3rwU8I8LnLwq8plWBj/9
rN9d4Io+QL2zUAN8a6uz2RRinWP3ET7D28M4v6qqJ+1yxm1FEzuQby+fx/xoZdCS
m3YRZ2BC/5k=
=yoSc
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L