MS-SQL version overflow attempt
Versions of Microsofts implementation of SQL server running the resolution service are subject to multiple buffer overflows.
It is possible to overwrite memory with data of the attackers choosing, resulting in a denial of service or possible code execution. This is done by sending carefully crafted packets to the resolution service running on the server.
It is also possible for the attacker to cause a denial of service by sending a spoofed packet purporting to be from one SQL server to another. The resulting exchange between the two servers could result in a denial of service.
- Cisco BBSM 5.0
- Cisco BBSM 5.1
- Cisco CallManager 3.3.x
- Cisco Unity 3.x
- Cisco Unity 4.x
- Microsoft .NET Framework 1.0
- Microsoft SQL Server 2000
- Windows 2000 Any version
- Windows NT Any version
The SQL Slammer (Sapphire) worm exploited the vulnerabilities in this service.
This rule can be triggered by UDP responses to requests originating from ephemeral port 1434. Example: a DNS response with transaction ID between 0x0400 and 0x04FF.
Thank you for your comprehension.
- Update all instances of the vulnerable systems with patches from the vendor.
- Use a firewall to deny access to ports used by the SQL server, usually 1433 and 1434, from the Internet.