Guest

Cisco Building Broadband Service Manager

Microsoft SQL Slammer Worm Virus


January 31, 2003


Products Affected

Product

Comments

BBSM Server Version 5.1

BBSM Server Version 5.1 is affected by the Microsoft SQL Slammer Worm Virus.

Note:  BBSM Versions 5.0 and 5.2 are not affected by the Microsoft SQL Slammer Worm Virus.

Problem Description

The Slammer Worm virus only affects products using Microsoft SQL/MSDE Server 2000. Only BBSM versions 5.1 and 5.2 use an embedded version of Microsoft MSDE 2000 server. Earlier versions of BBSM prior to 5.1 use an embedded version of Microsoft SQL Server 7.0. Due to additional security features in BBSM Version 5.2, BBSM Version 5.2 server is not affected by the Slammer Worm virus and BBSM Version 5.1 is the only vulnerable release in the BBSM product family.

Additional Cisco BBSM updates are available from Cisco.com.

Problem Symptoms

Symptoms may vary. For BBSM Version 5.1 that are affected by the Slammer virus, these servers will experience problems resulting in poor performance or complete losses of functionality.

Workaround/Solution

For BBSM Version 5.1 Servers

Tthe Building Broadband Solutions Unit (BBSU) will post the Microsoft fix (MSDE Service Pack 3) as two webpatch files: MSFix4.exe and MSFix5.exe. These files will be available in the Software Center.

Users must download and install these patches to bring their BBSM Version 5.1 servers back to a fully functional and protected state. We advise users to perform this update as soon as possible to prevent any issues from occurring.

Note:  Note: Other security vulnerabilities require all versions of BBSM to receive updates from Cisco.com.

For BBSM Version 5.2 Servers

No patch is necessary to protect a BBSM Version 5.2 server from the Microsoft SQL Slammer Worm Virus. The BBSU will post other Microsoft security fixes in BBSM Version 5.2 Service Pack 1 to the Software Center.

Users must download and install this patch to bring their BBSM Version 5.2 servers to the latest fully functional and protected state.

For BBSM Version 5.0 Servers and Earlier Versions

It is recommended that users upgrade these servers to BBSM Version 5.1 or later and follow the instructions above.

Additional Information

ACL for Cisco IOS® Software

Customers may also want to install access lists (ACLs) on their site router to further protect the BBSM system from outside attack. The following Cisco router commands will protect the BBSM server from further attacks:

Note: Log statement removed due to load issues on the router. If you are trying to track source addresses, use NetFlow.

access-list 115 deny udp any any eq 1433
     access-list 115 deny udp any any eq 1434
     access-list 115 permit ip any any
     int 
     ip access-group 115 in
     ip access-group 115 out
Router ACL Settings for CatOS Routers

Example VACL on the 6500

To configure:

set security acl ip WORM deny udp any eq 1434 any
     set security acl ip WORM deny udp any any eq 1434
     set security acl ip WORM deny udp any eq 1433 any
     set security acl ip WORM deny udp any any eq 1433
     set security acl ip WORM permit any
     commit security acl WORM
     set security acl map WORM

Set port to vlan based:

set port qos vlan-based

To verify:

show security acl info all

To remove:

clear security acl WORM
    commit security acl WORM

BBSD Software

For those customers running the BBSD software, they can protect their system by applying the following Microsoft patches.

BBSD system with the MSDE database

Versions 5.0 and 5.1: Install Microsoft MSDE Service Pack 3, which was released January 27, 2003.

BBSD system with the Microsoft SQL Server database

Versions 5.0, 5.1, and 5.2: Install Microsoft SQL Service Pack 3, released last week.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.