News Stay informed about the latest enterprise technology news and product updates.

Initial SQL worm cleanup simple, patching may not be so easy

System administrators may have a struggle on their hands trying to patch their vulnerable SQL Servers to avoid infection from the Slammer worm.

Don't expect the Slammer worm to go away any time soon.

The worm, which hit early Saturday morning and overwhelmed some large national Internet service providers in different countries and as many as five of the Internet's root Domain Name System (DNS) server, exploits a vulnerability in Microsoft SQL Server.

The vulnerability is a serious buffer overflow flaw in SQL Server 2000 Resolution Service. Microsoft issued a patch for the flaw on July 24, 2002 and included it in SQL Server 2000 Service Pack 3. Though the worm sits in memory and can be cleaned up by simply rebooting an impacted server, administrators need to patch their systems to avoid re-infection .

However, according to Dan Ingevaldson, team lead for ISS' XForce, the hotfix for this vulnerability will not work without the vulnerable SQL Server being updated with Service Pack 2 first.

"This is a huge issue," Ingevaldson said. "It's not something you can just apply and it's done. I think the impact of this is going to be felt for some time."

SQL Server 2000 is able to host multiple instances of a SQL Server on a single physical machine, allowing each instance to operate as a separate server, according to the July bulletin from Microsoft warning of the vulnerability. All instances, however, cannot listen on SQL Server session port TCP 1433. The SQL Server Resolution Service operates on UDP port 1434 and provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.

Slammer is exploiting a buffer overflow flaw in the Resolution Service and is using port 1434 to spread to other vulnerable systems. It is creatings massive amounts of traffic as it does so. ISS said it has seen billions of scan or propagation attempts on port 1434.

By mid-Saturday afternoon, ISS had raised its alert status on Slammer to Alert 4, the highest since Code Red and Nimda broke in 2001.

"This is the biggest Internet event we've seen in the last two years," Ingevaldson said.

The original bulletin lists three vulnerabilities, two buffer overflows in the Resolution Service that could allow for the execution of arbitrary code on the SQL Server, and a vulnerability in the keep-alive functionality of the service that could launch a denial-of-service attack.

Slammer is a small worm, three lines of text long and 376 bytes.

"That's good and bad," Ingevaldson said. "It's fast and spreads heavily, that's why we're seeing a high level of latency. There are no hidden features with this worm. It sits in memory and it's only purpose is to scan and propagate."

Slammer is succeeding because of the many unpatched systems still connected to the Internet. Microsoft initially labeled this flaw critical, yet many system administrators have yet to patch their SQL Servers.

"It just shows that system patching is difficult and expensive," Ingevaldson said. "It's hard to do and many don't do it unless they are under duress."

Code Red and Nimda exploited well-known vulnerabilities in Microsoft's Web server software, Internet Information Systems (IIS). Still, despite more than a year of warnings about the seriousness of the vulnerability, Code Red and Nimda hit more than 300,000 servers and left billions of dollars in damages behind them in cleanup costs.

FOR MORE INFORMATION: news exclusive: Update: SQL worm slows Internet; some root DNS servers down"

Microsoft security bulleting MS02-39, including patch for SQL Server vulnerabilities

  • FEEDBACK: How arduous is patching vulnerable SQL Servers going to be post-Slammer?
    Let News Editor Michael S. Mimoso know.

Dig Deeper on Real-time network monitoring and forensics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.