How to check for Slammer Vulnerabilities

  • SeeCoolGuy

    SSCrazy

    Points: 2871

    I'm very confused on the following:

    I was trying to put a network co-worker's mind at ease to ensure him that all my sql server are patched and up to date, when I ran MS's sqlscan utility and found the following lines very very disturbing!, the snapshot below is a snapshot of my sql servers and even tho the SQL Version shows them at 8.00.2039 (SP4) the program came back reporting them vulnerable, none of them have blank SA passwords either and some of the servers have alternate listening ports from 1433, so what gives?

    Instance Name Status SQL Version Product Level sqlservr.exe Product

    MSSQL$MICROSOFTSMLBIZ UNKNOWN 0 unknown N/A

    MSSQL$TRACKIT70_2 UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER VULNERABLE 8 RTM 8.00.194

    MSSQLSERVER VULNERABLE 8 Unknown 8.00.2039

    MSSQLSERVER VULNERABLE 8 Unknown 8.00.2039

    MSSQLSERVER VULNERABLE 8 Unknown 8.00.2039

    MSSQLSERVER VULNERABLE 8 Unknown 8.00.2039

    MSSQLSERVER VULNERABLE 8 Unknown 8.00.2039

    MSSQL$BKUPEXEC UP TO DATE 8 SP3 8.00.760

    MSSQL$BKUPEXEC UP TO DATE 8 SP3 8.00.760

    MSSQL$BKUPEXEC UP TO DATE 8 SP3 8.00.760

    MSSQL$BKUPEXEC UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER UP TO DATE 8 SP3 8.00.760

    MSSQL$BKUPEXEC UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER VULNERABLE 8 Unknown 8.00.2039

    MSSQL$BKUPEXEC UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER VULNERABLE 8 Unknown 8.00.2039

    MSSQL$KBMSS UP TO DATE 8 SP3 8.00.760

    MSSQL$KBMSS UP TO DATE 8 SP3 8.00.760

    MSSQL$BKUPEXEC UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER UP TO DATE 8 SP3 8.00.760

    MSSQLSERVER UP TO DATE 8 SP3 8.00.760

    the sugested hotfix is:

    http://www.microsoft.com/downloads/details.aspx?familyid=9552d43b-04eb-4af9-9e24-6cde4d933600&displaylang=en

    Quick Details

    Version: 8.00.0194

    Security Bulletins: MS02-039

    Date Published: 2/20/2003

    Language: English

    Download Size: 11 KB - 21.8 MB*

    but by reading the documentation, after installing SP4 on a Sql Server, you should not be vulnerable to the slammer worm, tho the sql scan tool doesn't yeild these results

    -- Francisco

  • Keith Risman

    SSC Veteran

    Points: 287

    Even though there is an SA password, it is possible that either the SA password, or the domain password is too short or not complex enough.  I believe that would result in a security warning.

    I don't know if the SA account if given sysadmin privileges rather than just database specific privileges could also result in a vulnerability warning.

    These at least are a couple of thoughts on the matter.

     

     

     

  • SeeCoolGuy

    SSCrazy

    Points: 2871

    That's easy enough to check then, I'll take one of the servers and change the SA pwd to something longer, as it is I've never liked the pwd that was put on there before me.

    -- Francisco

  • Keith Risman

    SSC Veteran

    Points: 287

    It must be 8 characters long, include upper and lower case and at least one special character with no common words to meet the complexity requirements.

  • vadba

    SSChampion

    Points: 11132

    I think the problem is that the sqlscan tool was written prior to the release of  SP4. I just downloaded and ran it, and anything related to SP4 (build 2039) is unknown, and therefore considered vulnerable. If you've got SP4, you're safe (from Slammer, at least).

    You would be better off running the Microsoft Baseline Security Analyzer.

    http://www.microsoft.com/technet/security/tools/mbsahome.mspx

     

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 719896

    I agree with mkeast. SP4 is Slammer patched.

  • SeeCoolGuy

    SSCrazy

    Points: 2871

    I've downloaded BSA and am running against the "vulnerable" reported systems.

    -- Francisco

  • SeeCoolGuy

    SSCrazy

    Points: 2871

    Ran the BSA product and the report it generated was very intrestresting. It did come back with what is known about the servers, such as some that still have the builtin\administrator group, but that was before my time on those servers. None came back saying it was possibly vulnerable to slammer tho. so positive results IMHO.

    -- Francisco

  • SeeCoolGuy

    SSCrazy

    Points: 2871

    So I ran the BSA from MS, but my sysadmin still beleives that I may need to apply the hotfix from: http://www.microsoft.com/downloads/details.aspx?familyid=9552d43b-04eb-4af9-9e24-6cde4d933600&displaylang=en

    Quick Details

    Version: 8.00.0194

    Security Bulletins: MS02-039

    Date Published: 2/20/2003

    Language: English

    Download Size: 11 KB - 21.8 MB*

    I'm concerned because these files are older in many cases from the newer files installed by SP4, in essense I'd be SP-4 but possibly mid SP3a.

    -- Francisco

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply