Cisco Security Advisory

MS SQL Worm Mitigation Recommendations

Advisory ID: cisco-sa-20030125-worm

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030125-worm

Revision 1.6

For Public Release 2003 January 25 14:00  UTC (GMT)


Summary

Currently Cisco customers experience attacks due to a new worm that has hit the Internet. The signature of this worm appears as high volumes of User Datagram Protocol (UDP) traffic to the port 1434. The customers who are affected encounter high volumes of traffic from both internal and external systems. The symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces.

The worm has been referenced by several names, which include Slammer, Sapphire, and "MS SQL worm".

You may see instability in networks due to increased load. The traffic load generated by this worm is very high..

Affected Products

This section provides details on affected products.

Vulnerable Products

For more information about Cisco products which are affected directly by this worm , refer to http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030126-ms02-061.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The TCP port 1433 and UDP port 1434 are used for Structured Query Language (SQL) server traffic. A new worm targets the UDP port 1434 and attempts to exploit a buffer overflow vulnerability in Microsoft's SQL server.

Microsoft has issued a security advisory about this issue. For more details, refer to http://www.microsoft.com/technet/security/alerts/slammer.mspx leavingcisco.com.

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss .


Impact

Under the Microsoft operating system, the UDP port 1434 can be blocked by means of an IPSec policy under the Microsoft operating system.

This document details mitigation techniques to block and filter the UDP port 1434 traffic with the help of Cisco devices.

Software Versions and Fixes

When you consider software upgrades, for consultation refer to http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, the customers must exercise caution to make certain the devices upgraded contain sufficient memory and that the current hardware and software configurations are still supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) for assistance.


Workarounds

Thus far the best mitigation is to block inbound and outbound traffic destined to the UDP port 1434. You must be careful to minimize the impact on mission critical services 1434/UDP and 1433/TCP which are legitimately used by Microsoft SQL Server. Before the traffic is blocked to these ports, completely make sure that the possible implications to your network are understood. Once the UDP port 1434 is blocked completely, the spread of the worm in its current form is contained. The affected systems are still infected and able to spread within the contained section of the network, therefore Cisco advises that all affected servers be patched in accordance with Microsoft's recommendations.

For information about strategies to protect against Distributed Denial of Service attacks, refer to http://www.cisco.com/warp/public/707/newsflash.html.

Note: These workarounds previously blocked both ports 1433 and 1434, although there is no evidence that if you block port 1433 this has any effect on the attack.Cisco has been alerted that mission critical services, such as IP phone networks, require traffic to flow on port 1433 and has corrected the recommended access control lists (ACLs) accordingly.

caution Caution: As with any configuration change in a network, ,you must evaluate the impact of this configuration.before you make the change.

ACL for IOS

This workaround applies to most router platforms unless a platform is mentioned specifically.

Note: In order to track the source addresses, you must usethe Sampled NetFlow, rather than "log" statements in ACLs as the high traffic in combination with the log statement can overwhelm the router.

access-list 115 deny udpUDP any any eq 1434

access-list 115 permit

ip any any int <interface>

ip access-group 115 in

ip access-group 115 out

The worm attempts to send packets to random IP addresses, some of which possibly do not exist. When that occurs, the router replies with an "ICMP unreachable" packet. In some cases, areply to a large number of requests with invalid IP addresses can result in degradation of the router's performance. To prevent such an occurrences, issue these commands:

Router(config)# interface <interface>
Router(if-config)# no ip unreachables

caution Caution:  Some configurations, such as certain types of tunnel structures, require the use of ip unreachables. If the router must be able to send "ICMP unreachable" packets, you can rate limit the number of replies with the help of this command:

Router(config)# ip icmp rate-limit unreachable <millisecond>

In Cisco IOS 12.0 and later, the default rate limit is set to two packets per second.

Cisco 12000

Receive ACL Feature On a Cisco 12000 (GSR) series router, packets destined to the router's IP addresses are punted to the gigabit route processor (GRP) in order to process. In order to protect the GRP, receive ACLs (rACLs) can be applied. The rACLs filter traffic destined to the GRP and only traffic explicitly permitted is processed by the GRP; the denied traffic is dropped. In general, rACLs do not affect transit traffic (traffic that flows through a router), only traffic destined to the router itself.

The rACLs are an extremely effective countermeasure to mitigate the effects of excessive attack traffic destined to the GRP. For more information, refer to GSR: Receive Access Control Lists.

VACL on the 6500

For simplicity and consistency, Cisco advises you the use of IOS ACLs on the Cisco Catalyst 4000 with a Sup3 and Hybrid and Native configurations of the Cisco Catalyst 6500. Additionally, Cisco advises the use of no ipIP unreachables command.

If you have already applied for the VACL configuration originally found in this page, it is effective and does not need to be changed. The Catalyst 6000 can use IOS ACLs; but for some configurations, VACLs are indicated.

Note: As you make configuration changes, use caution when you use VACLs in conjunction with IOS ACLs.

To configure:

set security acl ip WORM deny udp any any eq 1434

set security acl ip WORM permit any

commit security acl WORM

set security acl map WORM

To verify:

show security acl info all

To remove:

clear security acl WORM

commit security acl WORM

CatOS with Sup2 and MLS

MLS statistics can help track down infected hosts. NetFlow must be enabled in full flow to see source and destination ports, as in this example:

switch> (enable) sh mls statistics entry ip
                                  Last    Used
Destination IP   Source IP       Prot  DstPrt SrcPrt Stat-Pkts  Stat-Bytes
---------------- --------------- ----- ------ ------ ---------- ---------------
 10.81.176.91    172.16.34.35   UDP   1434   2776   0          0 
 172.31.171.82   172.16.34.35   UDP   1434   2776   0          0
 168.192.57.204  172.16.188.61  UDP   1434   3460   1          404
 172.17.136.55   172.16.34.135  UDP   1434   2917   0          0

Catalyst 3550

Apply the IOS ACL on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces in both the inbound and outbound direction. You must make sure that no ip unreachable is configured on the interface.

Apply the IOS ACL to Layer 2 interfaces on the switch only if an IOS ACL is not also applied to the input of a Layer 3 interface (an error message is generated upon attempts to do so). For Layer2, interfaces the IOS ACL is supported on the physical interfaces only and not on EtherChannel interfaces. It can be applied on the inbound direction only.

Catalyst 2950

Apply the IOS ACL to the interface. Note that ACL's are only supported in the inbound direction. In ordee to apply ACLs to physical interfaces, the enhanced software image (EI) must be installed.

Catalyst 2900XL and 3500XL

These are Layer 2 switches with no Layer 3 ACLs support.

PIX

Generally the PIX blocks this worm attempt unless it is explicitly configured to permit access to MS-SQL services as in these examples:

access-list acl_out permit UDP any host <address> eq 1434

or in previous versions of the PIX software:

conduit permit UDP any any eq 1434

These commands permit this worm to connect to the server at <address>. If it is not possible to patch the affected servers, Cisco advises you to close those ports by setting the statements to deny instead of permit, or removing the commands completely.

Additionally, customers must deny outbound attempts to these ports:

access-list acl_inside deny udp any any eq 1434 

or the corresponding outbound lists, but Cisco strongly advises ACLs in lieu of outbound lists.

CSIDS Signature

If a Cisco Secure Intrusion Detection System (CSIDs) is in use, a signature update file is available at http://www.cisco.com/pcgi-bin/tablebuild.pl/ids-appsens.

Alternatively, a custom signature string can be added to address this worm. Brief instructions are included here:

Tune Signature Parameters  :  CSIDS Signature Wizard
___________________________________________________________________________

 Current Signature: Engine STRING.UDP SIGID 2nnnn (any number between 20000 and 50000)
           SigName: SQL Slammer
___________________________________________________________________________

  0 - Edit ALL Parameters
  1 - AlarmInterval        =
  2 - AlarmThrottle        = FireAll
  3 - ChokeThreshold       =
  4 - Direction            = ToService
  5 - FlipAddr             =
  6 - LimitSummary         =
  7 - MaxInspectLength     = 360
  8 - MinHits              =
  9 - MinMatchLength       =
 10 * RegexString          = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll]
 11 - ResetAfterIdle       = 15
 12 * ServicePorts         = 1434
 13 - SigComment           =
 14 - SigName              = SQL Slammer
 15 - SigStringInfo        =
 16 - ThrottleInterval     = 15
 17 - WantFrag             =

Obtaining Fixed Software

Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers Using Third-Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

This issue is being exploited andis discussed in numerous public announcements and messages. References include:

Some Cisco products are affected by this worm. For consultation, refer to Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This notice is posted on Cisco's worldwide website at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030125-worm. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to these e-mail and Usenet news recipients:

  • cust-security-announce@cisco.com
  • bugtraq@securityfocus.com
  • full-disclosure@lists.netsys.co
  • first-teams@first.org (includes CERT/CC)
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • comp.dcom.sys.cisco
  • Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's worldwide web. The users concerned about this problem are encouraged to check the URL given for any updates.


Revision History

Revision 1.6

2003-February-13

Corrected VACL recommendations to remove source port 1434; clarified NetFlow requirement for MLS output; clarified Sampled NetFlow for tracking.

Revision 1.5

2003-January-28

Updates to Workarounds section: Moved "VACL on 6500" section, added in VACL config example, removed duplicate, untitled VACL on 6500 section, added in additional switch configuration notes. Corrected formatting in CIDS section. Added in multiple cautions on "IP Unreachables", which include the affect on configurations that require ip unreach - such as tunnels.

Revision 1.4

2003-January-27

Updates to Details section: changed port 1433 and 1434 information Updates to Workarounds section: Added "VACL on the 6500" section, changed the configuration example Update to PIX section: changed how the commands will permit this worm to connect to the server Update to Cisco Intrusion Detection System (CSIDS) Signature section: changed the URL

Revision 1.3

2003-January-26

Updates to Summary section: added link to companion document. Updates to the Workaround section: removed section on VACL on the 6500

Revision 1.2

2003-January-26

Updates to Microsoft link in Details section. Updates to the Workaround section: added new paragraph after first paragraph, added new information on ACL for IOS Updates to Exploitation section: added new paragraph with link. Updates to Security Procedures: removed the sentence "Information regarding ...."

Revision 1.1

2003-January-25

Updates to the workaround section, which include information on PIX, Cisco Intrusion Detection System (CSIDS), and updates to all ACLs and VACLs, changing the UDP 1433 to TCP 1433, and 1433 was removed altogether due to impact to critical applications. Updates to the summary section to reflect updated information. Changed Advisory to Notice, as this document reflects mitigation and does not reflect affected products.

Revision 1.0

2003-January-25

Initial public release.

Cisco Security Procedures

If you have any new information that would be of use to us, send an email to psirt@cisco.com.

Complete information on how to report security vulnerabilities in Cisco products, obtain assistance with security incidents, and register to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries about Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version