Intrusion Prevention

Worm.Slammer

Description

This indicates an attempt by the SQL Slammer worm to exploit a buffer-overflow vulnerability in Microsoft SQL Server.
The vulnerability results from the the way that Microsoft SQL servers process input on the SQL Server Resolution Service on port 1434. By sending a specially crafted UDP packet, a remote attacker can execute arbitrary code on a vulnerable system. The SQL Slammer worm takes advantage of this to spread through local networks and the Internet. The worm first scans rapidly for vulnerable systems, and it is this scanning activity that has degraded service across the entire Internet.

Affected Products

MS SQL 2000 server.

Impact

System compromise: Remote code execution, worm infection

Recommended Actions

Apply the latest SQL Server patches from Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS02-039.mspx
Block external access to the Microsoft SQL service on port 1433 and 1434.

CVE References

CVE-2002-0649

Other References

1