http://www.microsoft.com/technet/security/bulletin/MS02-034.asp

Cumulative Patch for SQL Server (Q316333)

Originally posted: July 10, 2002

Summary

Who should read this bulletin: Database administrators using Microsoft® SQL Server(tm) or Microsoft SQL Server Desktop Engine (MSDE) 2000.

Impact of vulnerability: Three new vulnerabilities, the most serious of which could run code of attacker's choice on server.

Maximum Severity Rating: Moderate

Recommendation: Apply the patch immediately to affected systems.

Affected Software:
- Microsoft SQL Server 2000 all editions.
- Microsoft SQL Server Desktop Engine (MSDE) 2000.

Technical description:

This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 2000. In addition, it eliminates three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or MSDE):
- A buffer overrun vulnerability in a procedure used to encrypt SQL Server credential information. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself depending on the account SQL Server runs as.
- A buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself.
- A privilege elevation vulnerability that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. An attacker who was able to successfully exploit this vulnerability could gain greater privileges on the system than had been granted by the system administrator -- potentially even the same rights as the operating system.

Mitigating factors:

Unchecked Buffer in Password Encryption Procedure:
- The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the default was chosen, it would minimize the amount of damage an attacker could achieve.
- The vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing.Unchecked Buffer in Bulk Insert Procedure:
- An attacker would need to already possess significant rights on the server in order to exploit the vulnerability, as only Bulk Admins and full administrators have the ability to load and run queries that invoke the vulnerable procedure.
- The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, it runs in the context of a domain user; if chosen, this would minimize the amount of damage an attacker could achieve.
- Best practices could help minimize the vulnerability. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing.Incorrect Permission on SQL Server Service Account Registry Key:
- Successfully exploiting this vulnerability would require the ability to load and run queries on the system. By following best practices and limiting this ability to administrators, users can mitigate the threat posed by this vulnerability.
- Successfully exploiting this vulnerability would also require a sysadmin or someone that has been granted xp_regwrite execute permissions.

Vulnerability identifier:
- Unchecked Buffer in Password Encryption Procedure: CVE-CAN-2002-0624
- Unchecked Buffer in Bulk Insert Procedure: CVE-CAN-2002-0641
- Incorrect Permission on SQL Server Service Account Registry Key: CVE-CAN-2002-0642

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]