More info on the worm that's affected MS SQL 2000. Please open a TAC
case with Cisco at P2 or P1 depending on severity and if you would like some
assistance. I can be reach this evening or in the AM if nec by
cell.
Thanks
Tim Young, Major
Account Manager
Cisco Systems, Inc.
5890 Owens Dr.
Pleasanton, CA. 94588
925-223-3565 office
925-437-5900 cell
800-365-4578
pager
tiyoung@cisco.com
|
|
|||
|||
.|||||.
.|||||.
.:|||||||:...:|||||||:.
c
i s c o S y s t e m s
Sent: Sunday, January 26, 2003 4:26
PM
Subject: Slammer/Sapphire Worm Update
Below is the latest advisory from Cisco. I wanted to get it out to the
team as well as review a few points.
1 . Systems that
were protected by Host Sensor were immune to the attack (Also servers protected
by Okena's StormWatch)
To get your customers a demo copy of
StormWatch send them here http://www.okena.com/free_eval.html, and I have
included the Okena requirements .pdf
2 . The patch from Microsoft
contained other bugs that caused memory leaks in the application .
3 . The FIB(CEF) based architecture that is Unique
to Cisco products (read Extreme, Foundry, etc.. don't have it) allowed networks
to stay up, while others melted.
4 . A firewall, a NIDS device, a router, or a
switch could not have prevented either the attack or the subsequent denial of
service, ONLY A SYSTEM THAT INCLUDES ALL OF THESE DEVICES, AND A PROCEDURE TO
PUT THEM IN PLACE could prevent or limit the effects of this attack.
I hope this
message has been helpful.
-----BEGIN PGP SIGNED MESSAGE-----
Hash:
SHA1
Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities
in Cisco
Products - MS02-061
Revision 1.0
INTERIM
====================
For Public Release 2003 January 26 05:30
GMT
-
-----------------------------------------------------------------------------
Please
provide your feedback on this document.
-
-----------------------------------------------------------------------------
Contents
========
Summary
Affected Products
Details
Impact
Software Versions and
Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public
Announcements
Status of This Notice
Distribution
Revision History
Cisco
Security Procedures
-
-----------------------------------------------------------------------------
Summary
=======
This
advisory describes a vulnerability that affects Cisco products
and
applications that are installed on Microsoft operating systems
incorporating
the use of the Microsoft SQL Server 2000 and is based on the
vulnerability of
SQL Server 2000, not due to a defect of the Cisco product or
application.
A number of vulnerabilities that have been discovered that
enable an attacker
to execute arbitrary code or perform a denial of service
against the server.
These vulnerabilities were discovered and publicly
announced by Microsoft in
their Microsoft Security Bulletins MS02-039,
MS02-056, and MS02-061.
All Cisco products and applications that are
using unpatched Microsoft SQL
Server 2000 are considered
vulnerable.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml.
Affected Products
=================
To determine if a
product is vulnerable, review the list below. If the software
versions or
configuration information are provided, then only those
combinations are
vulnerable.
* Cisco CallManager 3.3(x)
* Cisco Unity
3.x, 4.x
* Cisco Intelligent Contact Management (ICM) 5.0
*
Cisco E-Mail Manager (CeM)
* Cisco Building Broadband Service Manager
5.0, 5.1
No other Cisco product is currently known to be affected by this
vulnerability.
Details
=======
Implementations of the Microsoft
SQL Server 2000 are vulnerable to buffer
overflows and denial of service
attacks. These vulnerabilities can be exploited
to execute arbitrary code on
a computer system or to disrupt normal operation
of the server.
The
vulnerabilities have been described in more detail at
http://www.microsoft.com/technet/security/bulletin/MS02-039.asphttp://www.microsoft.com/technet/security/bulletin/MS02-056.asphttp://www.microsoft.com/technet/security/bulletin/MS02-061.aspImpact
======
According to Microsoft, the vulnerabilities range
from an attacker gaining
additional privileges on a SQL server to gaining
control over the SQL Server.
Additionally the MS SQL "Sapphire" Worm is known
to exploit this same
vulnerability which can result in degraded network
performance as the worm
attempts to propagate.
Software Versions and
Fixes
===========================
Cisco
CallManager
Customers running version
3.3(x) should install Cisco's cumulative SQL 2000
Hotfix,
SQL2K-MS02-061.exe, from
http://www.cisco.com/tacpage/sw-center/telephony/crypto/voice-apps/.
Cisco Unity
Customers should install the Microsoft SQL 2000 Service Pack 2 (SP2)
and
Security Rollup 1 (SRP1) "Q323875_SQL2000_SP2_en.EXE".
Both are available
on the Microsoft website at the
following location:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech
Cisco Intelligent Contact
Management
Customers should install the
Microsoft SQL 2000 Service Pack 3 (SP3). It is
available
on the Microsoft website at the following location:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Cisco E-Mail
Manager
Customers should install the
Microsoft SQL 2000 Service Pack 3 (SP3). It is
available
on the Microsoft website at the following location:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Cisco Building Broadband Service
Manager
This section will be updated
within 24 hours with more details on patch
availability.
Obtaining Fixed
Software
========================
Where Cisco provides the operating
system bundled with the product, Cisco is
offering free software upgrades to
address these vulnerabilities for all
affected customers. Customers may only
install and expect support for the
feature sets they have
purchased.
Customers with service contracts should contact their regular
update channels
to obtain any software release containing the feature sets
they have purchased.
For most customers with service contracts, this means
that upgrades should be
obtained through the Software Center on Cisco's
Worldwide Web site at
http://www.cisco.com/tacpage/sw-center/.
Customers whose Cisco products are provided or maintained
through a prior or
existing agreement with third-party support organizations
such as Cisco
Partners, authorized resellers, or service providers should
contact that
support organization for assistance with obtaining the free
software upgrade
(s).
Customers who purchased directly from Cisco but
who do not hold a Cisco service
contract, and customers who purchase through
third party vendors but are
unsuccessful at obtaining fixed software through
their point of sale, should
obtain fixed software by contacting the Cisco
Technical Assistance Center (TAC)
using the contact information listed below.
In these cases, customers are
entitled to obtain an upgrade to a later
version of the same release or as
indicated by the applicable row in the
Software Versions and Fixes table (noted
above).
Cisco TAC contacts
are as follows:
* +1 800 553 2447 (toll free from within North
America)
* +1 408 526 7209 (toll call from anywhere in the
world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized
telephone numbers and
instructions and e-mail addresses for use in various
languages.
Please have your product serial number available and give the
URL of this
notice as evidence of your entitlement to a free
upgrade.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com"
for software
upgrades.
Workarounds
===========
Cisco has published a
companion document at
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtmlwhich provides network based workarounds to mitigate the effects of
these
vulnerabilities. Cisco also recommends applying the software based
fixes to
affected devices to completely resolve the
vulnerability.
Exploitation and Public
Announcements
=====================================
This issue is
being exploited actively and has been discussed in numerous
public
announcements and messages.
Status of This Notice:
Interim
==============================
This is a Interim advisory.
Although Cisco cannot guarantee the accuracy of all
statements in this
notice, all of the facts have been checked to the best of
our ability. Cisco
does not anticipate issuing updated versions of this
advisory unless there is
some material change in the facts. Should there be a
significant change in
the facts, Cisco may update this
advisory.
Distribution
============
This notice will be posted
on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml.
In addition to Worldwide Web posting, a text version of this notice
is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following
e-mail and Usenet news recipients:
*
cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* full-disclosure@lists.netsys.com
* first-teams@first.org (includes
CERT/CC)
* cisco@spot.colorado.edu
*
cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
*
firewalls@lists.gnac.com
* Various internal Cisco mailing
lists
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web
server, but may or may not be actively announced on mailing
lists or
newsgroups. Users concerned about this problem are encouraged to
check the URL
given above for any updates.
Revision
History
================
+-------------------------------------------------------------------------+
|Revision
Number |1.0 |Initial Public
Release
|
+-------------------------------------------------------------------------+
Cisco
Product Security Procedures
=================================
Complete
information on reporting security vulnerabilities in Cisco
products,
obtaining assistance with security incidents, and registering to
receive
security information from Cisco, is available on Cisco's Worldwide
Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco
security notices. All Cisco
Security Advisories are available at http://www.cisco.com/go/psirt/.
-
-----------------------------------------------------------------------------
This
notice is Copyright 2003 by Cisco Systems, Inc. This notice may
be
redistributed freely after the release date given at the top of the
text,
provided that redistributed copies are complete and unmodified, and
include all
date and version information.
-
-----------------------------------------------------------------------------
All
contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights
reserved.
Important Notices and Privacy Statement.