navbarStrip_SecurityAdvisories

Cisco Security Advisory: MS SQL Worm Mitigation Recommendations

Document ID: 40160

Revision 1.6

Last Updated 2003 February 13 11:30 UTC

For Public Release 2003 January 25 14:00:00 UTC

Please provide your feedback on this document.

Contents

Summary
Details
Symptoms
Workarounds
Exploitation and Public Announcements
Status of This Notice
Distribution
Revision History
Cisco Security Procedures

Summary

Cisco customers are currently experiencing attacks due to a new worm that has hit the Internet. The signature of this worm appears as high volumes of UDP traffic to port 1434. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces.

The worm has been referenced by several names, including "Slammer", "Sapphire" as well as "MS SQL worm". 

Cisco has a companion document detailing Cisco products which are affected directly by this worm:

http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml

Details

TCP port 1433 and UDP port 1434 are used for SQL server traffic. A new worm has been targeting UDP port 1434 and is attempting to exploit a buffer overflow vulnerability in Microsoft's SQL server.

Microsoft has issued a security advisory about this issue, the details are here:

http://www.microsoft.com/technet/security/virus/alerts/slammer.asp leaving cisco.com

Under the Microsoft operating system, UDP port 1434 can be blocked using an IPSec policy under the Microsoft operating system.

This document details mitigation techniques for blocking and filtering UDP port 1434 traffic using Cisco devices..

Symptoms

You may see instability in networks due to increased load. The traffic load generated by this worm is very high.

Workarounds

Thus far the best mitigation is to block inbound and outbound traffic destined to UDP port 1434. Care must be taken to minimize the impact on mission critical services 1434/udp and 1433/tcp which are legitimately used by Microsoft SQL Server. Before blocking traffic to these ports completely make sure that the possible effects on your network are understood. Once udp port 1434 is blocked completely, the spread of the worm in its current form will be contained. Affected systems will still be infected and able to spread within the contained section of the network, therefore it is recommended that all affected servers be patched according to Microsoft's recommendations. 

Information regarding strategies for protecting against Distributed Denial of Service attacks may be found at http://www.cisco.com/warp/public/707/newsflash.html.

Note: These workarounds previously blocked both ports 1433 and 1434, although we have received no evidence that blocking port 1433 has any effect on the attack.We have been alerted that mission critical services such as IP phone networks require traffic to flow on port 1433 and have corrected the recommended ACLs accordingly.

Caution: As with any configuration change in a network, evaluate the impact of this configuration prior to applying the change.

ACL for IOS

This workaround applies to most router platforms unless a platform is mentioned specifically below.

Note: If you are trying to track source addresses, use Sampled NetFlow, rather than "log" statements in ACLs as the high traffic in combination with the log statement can overwhelm the router. 

access-list 115 deny udp any any eq 1434
access-list 115 permit ip any any

int <interface>
ip access-group 115 in
ip access-group 115 out

The worm will attempt to send packets to random IP addresses, some of which may not exist. When that occurs, the router will reply with an "ICMP unreachable" packet. In some cases, replying to a large number of requests with invalid IP addresses may result in degradation of the router's performance. To prevent that from occurring, use the following command:

Router(config)# interface <interface>
Router(if-config)# no ip unreachables

Caution: Some configurations, such as certain types of tunnel structures, require the use of "ip unreachables". If the router must be able to send "ICMP unreachable" packets, you can rate limit the number of replies using the following command: 

Router(config)# ip icmp rate-limit unreachable <millisecond>
Beginning with IOS 12.0, the default rate limiting is set to two packets per second.

Cisco 12000

Receive ACL Feature On a Cisco 12000 (GSR) series router, packets destined to the router's ip addresses are "punted" to the gigabit route processor (GRP) for processing. In order to protect the GRP, receive ACLs (rACLs) can be applied. rACLs filter traffic destined to the GRP and only traffic explicitly permitted is processed by the GRP, denied traffic is dropped. In general, rACLs do not affect transit traffic (traffic flowing through a router), only traffic destined to the router itself.

rACLs are an extremely effective countermeasure for mitigating the effects of excessive attack traffic destined to the GRP. For more information please refer to:
GSR: Receive Access Control Lists.

VACL on the 6500

For simplicity and consistency, Cisco is now recommending the use of IOS ACLs on the Cisco Catalyst 4000 with a Sup3 and Hybrid and Native configurations of the Cisco Catalyst 6500. Additionally, the use of "no ip unreachables" is recommended.

If you have already applied for the VACL configuration originally found in this page, it is effective and does not need to be changed. The Catalyst 6000 can use IOS ACLs; however, for some configurations, VACLs may be indicated.

Caution: As when making any configuration change, use caution when using VACLs in conjunction with IOS ACLs.

To configure:

set security acl ip WORM deny udp any any eq 1434
set security acl ip WORM permit any
commit security acl WORM
set security acl map WORM

To verify:

show security acl info all

To remove:

clear security acl WORM
commit security acl WORM

CatOS with Sup2 and MLS

MLS statistics can help track down infected hosts. NetFlow should be enabled in full flow to see source and destination ports, as in the following example: 
 switch> (enable) sh mls statistics entry ip
                                  Last    Used
Destination IP   Source IP       Prot  DstPrt SrcPrt Stat-Pkts  Stat-Bytes
---------------- --------------- ----- ------ ------ ---------- ---------------
 10.81.176.91    172.16.34.35   UDP   1434   2776   0          0 
 172.31.171.82   172.16.34.35   UDP   1434   2776   0          0 
 168.192.57.204  172.16.188.61  UDP   1434   3460   1          404
 172.17.136.55   172.16.34.135  UDP   1434   2917   0          0

Catalyst 3550

Apply the IOS ACL on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces in both the inbound and/or outbound direction. Ensure 'no ip unreachable' is configured on the interface.

Apply the IOS ACL to Layer 2 interfaces on the switch only if an IOS ACL is not also applied to the input of a Layer 3 interface (an error message is generated upon attempts to do so). For Layer 2 interfaces the IOS ACL is supported on the physical interfaces only and not on EtherChannel interfaces. It can be applied on the inbound direction only.

Catalyst 2950

Apply the IOS ACL to the interface. Note that ACL's are only supported in the inbound direction. To apply ACLs to physical interfaces the enhanced software image (EI) must be installed.

Catalyst 2900XL and 3500XL

These are Layer 2 switches with no Layer 3 access list support.

PIX

Generally the PIX will block this worm attempt unless it has been explicitly configured to permit access to MS-SQL services as in the following examples:

access-list acl_out permit udp any host <address> eq 1434

or in previous versions of the PIX software:

conduit permit udp any any eq 1434

These commands will permit this worm to connect to the server at <address>. If it is not possible to patch the affected servers, it is recommended to close those ports by setting the statements to deny instead of permit, or removing the commands completely.

Additionally, customers should deny outbound attempts to these ports:

access-list acl_inside deny udp any any eq 1434

or the corresponding outbound lists, however, ACLs are strongly recommended in lieu of outbound lists.

CSIDS Signature

If a Cisco Secure Intrusion Detection System is in use, a signature update file is available here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ids-appsens and ftp.cisco.com/cisco/crypto/3DES/ciscosecure/ids/appliance-sensor.

Alternatively, a custom signature string can be added to address this worm. Brief instructions are included here. 

Tune Signature Parameters  :  CSIDS Signature Wizard
___________________________________________________________________________

 Current Signature: Engine STRING.UDP SIGID 2nnnn (any number between 20000 and 50000)
           SigName: SQL Slammer
___________________________________________________________________________

  0 - Edit ALL Parameters
  1 - AlarmInterval        =
  2 - AlarmThrottle        = FireAll
  3 - ChokeThreshold       =
  4 - Direction            = ToService
  5 - FlipAddr             =
  6 - LimitSummary         =
  7 - MaxInspectLength     = 360
  8 - MinHits              =
  9 - MinMatchLength       =
 10 * RegexString          = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll]
 11 - ResetAfterIdle       = 15
 12 * ServicePorts         = 1434
 13 - SigComment           =
 14 - SigName              = SQL Slammer
 15 - SigStringInfo        =
 16 - ThrottleInterval     = 15
 17 - WantFrag             =

Exploitation and Public Announcements

This issue is being exploited actively and has been discussed in numerous public announcements and messages. References include: Some Cisco products are affected by this worm. Please consult: Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061

Status of This Notice: INTERIM

This is an interim notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates issuing updated versions of this notice when there is material change in the facts.

Distribution

This notice will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients:

Future updates of this notice, if any, will be placed on Cisco's worldwide web. Users concerned about this problem are encouraged to check the URL given above for any updates.

Revision History

Revision 1.0 25-January-2003 Initial public release.
Revision 1.1
 25-January-2003
 Updates to workaround section, including information on PIX, CSIDS, and updates to all ACLs and VACL,s changing udp 1433 to tcp 1433, and removing 1433 altogether due to impact to critical applications.
Updates to summary section to reflect updated information.
Changed Advisory to Notice, as this document reflects mitigation and does not reflect affected products.
Revision 1.2 26-January-2003

Updates to Microsoft link in Details section.
Updates to Workaround section: added new paragraph after first paragraph, added new information on ACL for IOS
Updates to Exploitation section: added new paragraph with link.
Updates to Security Procedures: removed the sentence "Information regarding ...."

Revision 1.3 26-January-2003 Updates to Summary section: added link to companion document.
Updates to Workaround section: removed section on VACL on the 6500
Revision 1.4 27-January-2003 Updates to Details section: changed port 1433 and 1434 information
Updates to Workarounds section: Added "VACL on the 6500" section, changed the configuration example
Update to PIX section: changed how the commands will permit this worm to connect to the server
Update to CSIDS Signature section: changed the URL
Revision 1.5 28-January-2003

Updates to Workarounds section: Moved "VACL on 6500" section, added in VACL
config example, removed duplicate, untitled VACL on 6500 section, added in additional
switch configuration notes. Corrected formatting in CIDS section. Added in multiple
cautions on "IP Unreachables", including affect on configurations that require ip unreach
- such as tunnels.
Revision 1.6 13-February-2003 Corrected VACL recommendations to remove source port 1434; clarified NetFlow requirement for MLS output; clarified Sampled NetFlow for tracking.

Cisco Security Procedures

If you have any new information that would be of use to us, please send email to psirt@cisco.com.

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt/.

This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.

Toolbar

All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement .

Updated: Oct 08, 2004Document ID: 40160