Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations

From: Cisco Systems Product Security Incident Response Team (psirtat_private)
Date: Sat Jan 25 2003 - 12:30:00 PST

  • Next message: Marc Maiffret: "SQL Sapphire Worm Analysis" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations
==============================================================================

Revision 1.0

For Public Release 2003 January 25 14:00:00 UTC

- -------------------------------------------------------------------------------

Contents
========

Summary
Details
Symptoms
Workarounds
Exploitation and Public Announcements
Status of This Notice
Distribution
Revision History
Cisco Security Procedures

- -------------------------------------------------------------------------------

Summary
=======

Cisco customers are currently experiencing attacks due to a new worm that has
hit the Internet. The signature of this worm appears to be high volumes of UDP
traffic to port 1434. Affected customers have been experiencing high volumes of
traffic from both internal and external systems. Symptoms on Cisco devices
include, but are not limited to high CPU and traffic drops on the input
interfaces.

http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com

At the time of this notice there is no definitive analysis of the worm.

Details
=======

UDP port 1433 and 1434 are used for SQL server traffic. A new worm has been
targeting port 1434 and attempting to exploit a buffer overflow vulnerability
in Microsoft's SQL server. We have received reports that the worm targets port
1433 as well, however this is unverified at this time.

Microsoft has issued a security advisory about this issue, the details are
here:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp leaving cisco.com

For infected servers, MS recommends downloading Service Pack 3 for SqlSvr,
located here:

http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN&LN=en-us&gssnb=1 
leaving cisco.com

Symptoms
========

You may see instability in networks due to increased load. The traffic load
generated by this DoS is very high.

Workarounds
===========

Thus far the best mitigation is to block inbound and outbound traffic destined
to UDP port 1434. Care must be taken in regards to the impact on mission
critical services as 1434/udp and 1433/udp are used by Microsoft SQL Server.
Before blocking traffic to these ports completely make sure that the possible
effects on your network are understood.

Note: These workarounds block both ports 1433 and 1434, although we have
received no evidence yet that blocking port 1433 has any affect on the attack.
If your network requires traffic to flow on port 1433 please leave that portion
of the ACL out and monitor your results closely.

VACL on the 6500

To configure:

set security acl ip WORM deny udp any eq 1434 any
set security acl ip WORM deny udp any any eq 1434
set security acl ip WORM deny udp any eq 1433 any
set security acl ip WORM deny udp any any eq 1433
set security acl ip WORM permit any
commit security acl WORM
set security acl map WORM <vlan>

Set port to vlan based:

set port qos <mod/port> vlan-based

To verify:

show security acl info all

To remove:

clear security acl WORM
commit security acl WORM

ACL for IOS

Note: Log statement removed due to load issues on the router. If you are trying
to track source addresses, use NetFlow.

access-list 115 deny udp any any eq 1433
access-list 115 deny udp any any eq 1434
access-list 115 permit ip any any

int <interface>
ip access-group 115 in
ip access-group 115 out

Exploitation and Public Announcements
=====================================

This issue is being exploited actively and has been discussed in numerous
public announcements and messages. References include:

  * http://www.cert.org/advisories/CA-2003-04.html leaving cisco.com
  * http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com

Status of This Notice: INTERIM
==============================

This is an interim notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the facts have been checked to the best of
our ability. Cisco anticipates issuing updated versions of this notice when
there is material change in the facts.

Distribution
============

This notice will be posted on Cisco's worldwide website at http://www.cisco.com
/warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web
posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP
key and is posted to the following e-mail and Usenet news recipients:

  * cust-security-announceat_private
  * bugtraqat_private
  * full-disclosureat_private
  * first-teamsat_private (includes CERT/CC)
  * ciscoat_private
  * cisco-nspat_private
  * comp.dcom.sys.cisco
  * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's worldwide web
Users concerned about this problem are encouraged to check the URL given above
for any updates.

Revision History
================

+---------------------------------------------------------------------------+
|Revision  |25-January-2003|Initial public release.                         |
|1.0       |               |                                                |
+---------------------------------------------------------------------------+

Cisco Security Procedures
=========================

If you have any new information that would be of use to us, please send email
to psirtat_private Information regarding strategies for protecting against
Distributed Denial of Service attacks may be found at http://www.cisco.com/warp
/public/707/newsflash.html .

Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide website at 
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco security notices. All Cisco
Security Advisories are available at http://www.cisco.com/go/psirt/.

- -------------------------------------------------------------------------------

This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and include all
date and version information.

- -------------------------------------------------------------------------------



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBPjLvSJPS/wbyNnWcEQJfkACbBvRVSNVIGPrVNbUFa36ljgskecIAn1lQ
NKkVnPmOjGcau3OjeIudkzyh
=KxPU
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 13:08:41 PST