How to check for Slammer Vulnerabilities

  • I'm very confused on the following:

    I was trying to put a network co-worker's mind at ease to ensure him that all my sql server are patched and up to date, when I ran MS's sqlscan utility and found the following lines very very disturbing!, the snapshot below is a snapshot of my sql servers and even tho the SQL Version shows them at 8.00.2039 (SP4) the program came back reporting them vulnerable, none of them have blank SA passwords either and some of the servers have alternate listening ports from 1433, so what gives?

    Instance NameStatusSQL VersionProduct Levelsqlservr.exe Product

    MSSQL$MICROSOFTSMLBIZUNKNOWN0unknownN/A

    MSSQL$TRACKIT70_2UP TO DATE8SP38.00.760

    MSSQLSERVERVULNERABLE8RTM8.00.194

    MSSQLSERVERVULNERABLE8Unknown8.00.2039

    MSSQLSERVERVULNERABLE8Unknown8.00.2039

    MSSQLSERVERVULNERABLE8Unknown8.00.2039

    MSSQLSERVERVULNERABLE8Unknown8.00.2039

    MSSQLSERVERVULNERABLE8Unknown8.00.2039

    MSSQL$BKUPEXECUP TO DATE8SP38.00.760

    MSSQL$BKUPEXECUP TO DATE8SP38.00.760

    MSSQL$BKUPEXECUP TO DATE8SP38.00.760

    MSSQL$BKUPEXECUP TO DATE8SP38.00.760

    MSSQLSERVERUP TO DATE8SP38.00.760

    MSSQL$BKUPEXECUP TO DATE8SP38.00.760

    MSSQLSERVERUP TO DATE8SP38.00.760

    MSSQLSERVERUP TO DATE8SP38.00.760

    MSSQLSERVERVULNERABLE8Unknown8.00.2039

    MSSQL$BKUPEXECUP TO DATE8SP38.00.760

    MSSQLSERVERVULNERABLE8Unknown8.00.2039

    MSSQL$KBMSSUP TO DATE8SP38.00.760

    MSSQL$KBMSSUP TO DATE8SP38.00.760

    MSSQL$BKUPEXECUP TO DATE8SP38.00.760

    MSSQLSERVERUP TO DATE8SP38.00.760

    MSSQLSERVERUP TO DATE8SP38.00.760

    MSSQLSERVERUP TO DATE8SP38.00.760

    MSSQLSERVERUP TO DATE8SP38.00.760

    the sugested hotfix is:

    http://www.microsoft.com/downloads/details.aspx?familyid=9552d43b-04eb-4af9-9e24-6cde4d933600&displaylang=en

    Quick Details

    Version:8.00.0194

    Security Bulletins:MS02-039

    Date Published:2/20/2003

    Language:English

    Download Size:11 KB - 21.8 MB*

    but by reading the documentation, after installing SP4 on a Sql Server, you should not be vulnerable to the slammer worm, tho the sql scan tool doesn't yeild these results

    -- Francisco

  • Even though there is an SA password, it is possible that either the SA password, or the domain password is too short or not complex enough.  I believe that would result in a security warning.

    I don't know if the SA account if given sysadmin privileges rather than just database specific privileges could also result in a vulnerability warning.

    These at least are a couple of thoughts on the matter.

     

     

     

  • That's easy enough to check then, I'll take one of the servers and change the SA pwd to something longer, as it is I've never liked the pwd that was put on there before me.

    -- Francisco

  • It must be 8 characters long, include upper and lower case and at least one special character with no common words to meet the complexity requirements.

  • I think the problem is that the sqlscan tool was written prior to the release of  SP4. I just downloaded and ran it, and anything related to SP4 (build 2039) is unknown, and therefore considered vulnerable. If you've got SP4, you're safe (from Slammer, at least).

    You would be better off running the Microsoft Baseline Security Analyzer.

    http://www.microsoft.com/technet/security/tools/mbsahome.mspx

     

  • I agree with mkeast. SP4 is Slammer patched.

  • I've downloaded BSA and am running against the "vulnerable" reported systems.

    -- Francisco

  • Ran the BSA product and the report it generated was very intrestresting. It did come back with what is known about the servers, such as some that still have the builtin\administrator group, but that was before my time on those servers. None came back saying it was possibly vulnerable to slammer tho. so positive results IMHO.

    -- Francisco

  • So I ran the BSA from MS, but my sysadmin still beleives that I may need to apply the hotfix from: http://www.microsoft.com/downloads/details.aspx?familyid=9552d43b-04eb-4af9-9e24-6cde4d933600&displaylang=en

    Quick Details

    Version: 8.00.0194

    Security Bulletins: MS02-039

    Date Published: 2/20/2003

    Language: English

    Download Size: 11 KB - 21.8 MB*

    I'm concerned because these files are older in many cases from the newer files installed by SP4, in essense I'd be SP-4 but possibly mid SP3a.

    -- Francisco

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply