[nsp]Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation
Recommendations
Sean Crocker
crockers at mail.trinicom.com
Mon Jan 27 00:42:03 EST 2003
Perhaps this could be modified to help detect compromised hosts on
your nets by prepending ACL entries that a) match your ip address
space and b) include the 'log' keyword. Then you can use 'show
security acl log' to root out local culprits. Example:
set security acl ip WORM deny udp a.b.0.0 255.255.0.0 any eq 1434 log before 1
set security acl ip WORM deny udp a.b.0.0 255.255.0.0 eq 1434 any log before 2
commit security acl WORM
sup> (enable) show security acl log flow udp any any
Entry No. #1, IP Packet
----------------------------------------
Vlan Number : 228
Mod/Port Number : 3/5
Source IP address : a.b.28.5
Destination IP address : a.b.28.81
UDP Source port : 1086
UDP Destination port : 1434
Received Packet Number : 1139
Entry No. #2, IP Packet
----------------------------------------
Vlan Number : 228
Mod/Port Number : 3/5
Source IP address : a.b.28.5
Destination IP address : a.b.28.65
UDP Source port : 1826
UDP Destination port : 1434
Received Packet Number : 1146
...and so on. No caveats to doing this that I'm aware of.
Sean
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations
>==============================================================================
>
>Revision 1.0
>
>For Public Release 2003 January 25 14:00:00 UTC
>
>- -------------------------------------------------------------------------------
>
>Contents
>========
>
>Summary
>Details
>Symptoms
>Workarounds
>Exploitation and Public Announcements
>Status of This Notice
>Distribution
>Revision History
>Cisco Security Procedures
>
>- -------------------------------------------------------------------------------
>
>Summary
>=======
>
>Cisco customers are currently experiencing attacks due to a new worm that has
>hit the Internet. The signature of this worm appears to be high volumes of UDP
>traffic to port 1434. Affected customers have been experiencing high volumes of
>traffic from both internal and external systems. Symptoms on Cisco devices
>include, but are not limited to high CPU and traffic drops on the input
>interfaces.
>
>http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com
>
>At the time of this notice there is no definitive analysis of the worm.
>
>Details
>=======
>
>UDP port 1433 and 1434 are used for SQL server traffic. A new worm has been
>targeting port 1434 and attempting to exploit a buffer overflow vulnerability
>in Microsoft's SQL server. We have received reports that the worm targets port
>1433 as well, however this is unverified at this time.
>
>Microsoft has issued a security advisory about this issue, the details are
>here:
>
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
>bulletin/MS02-039.asp leaving cisco.com
>
>For infected servers, MS recommends downloading Service Pack 3 for SqlSvr,
>located here:
>
>http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN&LN=en-us&gssnb=1
>leaving cisco.com
>
>Symptoms
>========
>
>You may see instability in networks due to increased load. The traffic load
>generated by this DoS is very high.
>
>Workarounds
>===========
>
>Thus far the best mitigation is to block inbound and outbound traffic destined
>to UDP port 1434. Care must be taken in regards to the impact on mission
>critical services as 1434/udp and 1433/udp are used by Microsoft SQL Server.
>Before blocking traffic to these ports completely make sure that the possible
>effects on your network are understood.
>
>Note: These workarounds block both ports 1433 and 1434, although we have
>received no evidence yet that blocking port 1433 has any affect on the attack.
>If your network requires traffic to flow on port 1433 please leave that portion
>of the ACL out and monitor your results closely.
>
>VACL on the 6500
>
>To configure:
>
>set security acl ip WORM deny udp any eq 1434 any
>set security acl ip WORM deny udp any any eq 1434
>set security acl ip WORM deny udp any eq 1433 any
>set security acl ip WORM deny udp any any eq 1433
>set security acl ip WORM permit any
>commit security acl WORM
>set security acl map WORM <vlan>
>
>Set port to vlan based:
>
>set port qos <mod/port> vlan-based
>
>To verify:
>
>show security acl info all
>
>To remove:
>
>clear security acl WORM
>commit security acl WORM
>
>ACL for IOS
>
>Note: Log statement removed due to load issues on the router. If you are trying
>to track source addresses, use NetFlow.
>
>access-list 115 deny udp any any eq 1433
>access-list 115 deny udp any any eq 1434
>access-list 115 permit ip any any
>
>int <interface>
>ip access-group 115 in
>ip access-group 115 out
>
>Exploitation and Public Announcements
>=====================================
>
>This issue is being exploited actively and has been discussed in numerous
>public announcements and messages. References include:
>
> * http://www.cert.org/advisories/CA-2003-04.html leaving cisco.com
> * http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com
>
>Status of This Notice: INTERIM
>==============================
>
>This is an interim notice. Although Cisco cannot guarantee the accuracy of all
>statements in this notice, all of the facts have been checked to the best of
>our ability. Cisco anticipates issuing updated versions of this notice when
>there is material change in the facts.
>
>Distribution
>============
>
>This notice will be posted on Cisco's worldwide website at http://www.cisco.com
>/warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web
>posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP
>key and is posted to the following e-mail and Usenet news recipients:
>
> * cust-security-announce at cisco.com
> * bugtraq at securityfocus.com
> * full-disclosure at lists.netsys.com
> * first-teams at first.org (includes CERT/CC)
> * cisco at spot.colorado.edu
> * cisco-nsp at puck.nether.net
> * comp.dcom.sys.cisco
> * Various internal Cisco mailing lists
>
>Future updates of this notice, if any, will be placed on Cisco's worldwide web
>Users concerned about this problem are encouraged to check the URL given above
>for any updates.
>
>Revision History
>================
>
>+---------------------------------------------------------------------------+
>|Revision |25-January-2003|Initial public release. |
>|1.0 | | |
>+---------------------------------------------------------------------------+
>
>Cisco Security Procedures
>=========================
>
>If you have any new information that would be of use to us, please send email
>to psirt at cisco.com. Information regarding strategies for protecting against
>Distributed Denial of Service attacks may be found at http://www.cisco.com/warp
>/public/707/newsflash.html .
>
>Complete information on reporting security vulnerabilities in Cisco products,
>obtaining assistance with security incidents, and registering to receive
>security information from Cisco, is available on Cisco's worldwide website at
>http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
>instructions for press inquiries regarding Cisco security notices. All Cisco
>Security Advisories are available at http://www.cisco.com/go/psirt/.
>
>- -------------------------------------------------------------------------------
>
>This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
>redistributed freely after the release date given at the top of the text,
>provided that redistributed copies are complete and unmodified, and include all
>date and version information.
>
>- -------------------------------------------------------------------------------
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.0
>
>iQA/AwUBPjLvSJPS/wbyNnWcEQJfkACbBvRVSNVIGPrVNbUFa36ljgskecIAn1lQ
>NKkVnPmOjGcau3OjeIudkzyh
>=KxPU
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list