7.25.02. Microsoft released today two new security patches for SQL Server 2000 and MSDE 2000. The patches combine to eliminate five newly discovered vulnerabilities ranging from moderate to critical in severity.
The "Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution" patch eliminates two newly discovered vulnerabilities, both of which carry a moderate severity rating:
The "Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution" patch eliminates three newly discovered vulnerabilities in the SQL Server Resolution Service, all of which carry a critical severity rating:
- Buffer Overrun Vulnerability in Database Consistency Checkers - A buffer overrun vulnerability that occurs in several Database Consistency Checkers (DBCCs) that ship as part of SQL Server 2000. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server.
- SQL Injection Vulnerability in Replication Stored Procedures - A SQL injection vulnerability that occurs in two stored procedures used in database replication. Exploiting the vulnerability could enable an attacker to run operating system commands on the server (subject, however, to significant mitigating factors).
- Buffer Overruns in SQL Server Resolution Service - Two separate buffer overruns exist that can be exploited by sending a carefully crafted packet to the Resolution Service, which could then allow an attacker to cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service.
- Denial of Service via SQL Server Resolution Service - A vulnerability exists in the keep-alive mechanism that makes it possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges. This would consume resources on both systems, slowing performance considerably.
Both patches can be installed on systems running SQL Server 2000 Service Pack 2, and the functionality included in the patches will be part of SQL Server 2000 Service Pack 3 when it's released.
Additional information on the "Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution" patch (and download links) can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-038.asp
Additional information on the "Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution" Security Patch (and download links) can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
See All Articles by Editor Forrest Stroud