In addition to providing referrals, the SSRS is capable of replying to "ping" messages from other SQL servers to confirm its presence on a network. When the service receives such a message, it replies to the transmitting host with an identical reply message. In normal operation, the SSRS service is responsible for replying to ping messages sent by an SQL Server and does not initiate them. However, an attacker can create a forged ping message to one instance of the SSRS (Victim A, port 1434) that appears to originate from another instance (Victim B, port 1434), causing Victim A and Victim B to continuously exchange messages. This cycle will continue to consume server and network resources until one of the servers stops sending packets for one of several reasons, including a restart of the SQL Server, a reboot of the server host, or a network failure.
II. Impact
This vulnerability allows remote attackers to initiate a denial-of-service attack between two affected servers.
III. Solution
Apply a patch
Microsoft has published Security Bulletin MS02-039 to address this vulnerability. For more information, please see
Vendor | Status | Date Updated |
---|---|---|
Microsoft Corporation | Vulnerable | 25-Jul-2002 |
The CERT/CC thanks Microsoft for the information provided in their advisory and NGSSoftware for their discovery and analysis of this vulnerability.
This document was written by Jeffrey P. Lanza.
Other Information
Date Public | 07/24/2002 |
Date First Published | 07/26/2002 02:03:17 PM |
Date Last Updated | 07/29/2002 |
CERT Advisory | |
CVE Name | CAN-2002-0650 |
Metric | 5.32 |
Document Revision | 34 |