July 12, 2006 at 12:44 pm
I'm very confused on the following:
I was trying to put a network co-worker's mind at ease to ensure him that all my sql server are patched and up to date, when I ran MS's sqlscan utility and found the following lines very very disturbing!, the snapshot below is a snapshot of my sql servers and even tho the SQL Version shows them at 8.00.2039 (SP4) the program came back reporting them vulnerable, none of them have blank SA passwords either and some of the servers have alternate listening ports from 1433, so what gives?
Instance NameStatusSQL VersionProduct Levelsqlservr.exe Product
MSSQL$MICROSOFTSMLBIZUNKNOWN0unknownN/A
MSSQL$TRACKIT70_2UP TO DATE8SP38.00.760
MSSQLSERVERVULNERABLE8RTM8.00.194
MSSQLSERVERVULNERABLE8Unknown8.00.2039
MSSQLSERVERVULNERABLE8Unknown8.00.2039
MSSQLSERVERVULNERABLE8Unknown8.00.2039
MSSQLSERVERVULNERABLE8Unknown8.00.2039
MSSQLSERVERVULNERABLE8Unknown8.00.2039
MSSQL$BKUPEXECUP TO DATE8SP38.00.760
MSSQL$BKUPEXECUP TO DATE8SP38.00.760
MSSQL$BKUPEXECUP TO DATE8SP38.00.760
MSSQL$BKUPEXECUP TO DATE8SP38.00.760
MSSQLSERVERUP TO DATE8SP38.00.760
MSSQL$BKUPEXECUP TO DATE8SP38.00.760
MSSQLSERVERUP TO DATE8SP38.00.760
MSSQLSERVERUP TO DATE8SP38.00.760
MSSQLSERVERVULNERABLE8Unknown8.00.2039
MSSQL$BKUPEXECUP TO DATE8SP38.00.760
MSSQLSERVERVULNERABLE8Unknown8.00.2039
MSSQL$KBMSSUP TO DATE8SP38.00.760
MSSQL$KBMSSUP TO DATE8SP38.00.760
MSSQL$BKUPEXECUP TO DATE8SP38.00.760
MSSQLSERVERUP TO DATE8SP38.00.760
MSSQLSERVERUP TO DATE8SP38.00.760
MSSQLSERVERUP TO DATE8SP38.00.760
MSSQLSERVERUP TO DATE8SP38.00.760
the sugested hotfix is:
Quick Details
Version:8.00.0194
Security Bulletins:MS02-039
Date Published:2/20/2003
Language:English
Download Size:11 KB - 21.8 MB*
but by reading the documentation, after installing SP4 on a Sql Server, you should not be vulnerable to the slammer worm, tho the sql scan tool doesn't yeild these results
-- Francisco
July 12, 2006 at 10:11 pm
Even though there is an SA password, it is possible that either the SA password, or the domain password is too short or not complex enough. I believe that would result in a security warning.
I don't know if the SA account if given sysadmin privileges rather than just database specific privileges could also result in a vulnerability warning.
These at least are a couple of thoughts on the matter.
July 13, 2006 at 1:22 am
That's easy enough to check then, I'll take one of the servers and change the SA pwd to something longer, as it is I've never liked the pwd that was put on there before me.
-- Francisco
July 13, 2006 at 8:06 am
It must be 8 characters long, include upper and lower case and at least one special character with no common words to meet the complexity requirements.
July 13, 2006 at 10:19 am
I think the problem is that the sqlscan tool was written prior to the release of SP4. I just downloaded and ran it, and anything related to SP4 (build 2039) is unknown, and therefore considered vulnerable. If you've got SP4, you're safe (from Slammer, at least).
You would be better off running the Microsoft Baseline Security Analyzer.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
July 13, 2006 at 11:30 am
I agree with mkeast. SP4 is Slammer patched.
July 13, 2006 at 2:10 pm
I've downloaded BSA and am running against the "vulnerable" reported systems.
-- Francisco
July 14, 2006 at 12:26 pm
Ran the BSA product and the report it generated was very intrestresting. It did come back with what is known about the servers, such as some that still have the builtin\administrator group, but that was before my time on those servers. None came back saying it was possibly vulnerable to slammer tho. so positive results IMHO.
-- Francisco
July 18, 2006 at 9:12 am
So I ran the BSA from MS, but my sysadmin still beleives that I may need to apply the hotfix from: http://www.microsoft.com/downloads/details.aspx?familyid=9552d43b-04eb-4af9-9e24-6cde4d933600&displaylang=en
Quick Details
Version: 8.00.0194
Security Bulletins: MS02-039
Date Published: 2/20/2003
Language: English
Download Size: 11 KB - 21.8 MB*
I'm concerned because these files are older in many cases from the newer files installed by SP4, in essense I'd be SP-4 but possibly mid SP3a.
-- Francisco
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply