MS Issues Critical SQL Server Flaw Warning

silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."

localhost

[jaavaaguru]

Or just don't make the database servers available on the Internet?

Unpatched

[Major+Blud]

SQL 2005 Service Pack 3 hasn't been RTM'd yet. All versions of SQL 2000 seem to be affected. This probably means that the most popular versions are affected.

Re:Unpatched

[pls2917]

SP3 was released on 15-Dec:

http://www.microsoft.com/downloads/details.aspx?FamilyID=ae7387c3-348c-4faa-8ae5-949fdfbe59c4&displaylang=en

Re:Exactly what is vulnerable?

It is important to note that this isn't exploitable unless all of the following is true:

You are flat out wrong, on all three points, along with the idiots who modded you insightful. RTFA.

1. The database server is not patched (and the patches are not new).

There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process."

Now, some versions of sql server are not affected at all by this bug, which is different from a patch being available.

2. Someone is able to connect directly to the database server.

Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

3. That someone authenticates using a privileged user.

No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

You know, I think it's a good idea when the DBAs can actually read and understand what they are reading.

Re:Exactly what is vulnerable?

[Shados]

There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

There is, sortoff: the latest service packs, except for SQL Server 2000 (for which its a genuine problem, if I understand well). The catch is that SQL Server without service pack are fully supported, so Microsoft must provide patches so you can fix it without needing the service packs for the other editions. Still, the line between a patch and a service pack is thin...

Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

Ironically, I've actually never worked anywhere where extended SPs were allowed by the DBA unless careful consideration was made, and only if the database was used on the intranet only... extended SPs can do pretty much anything if not properly controlled, so you have to be fairly careful....

No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

Which still means you need -A- user that can connect at all. I agree that isn't exactly a "priviledged user", but it still needs a user that can login. Not "any user" can do that.