This advisory describes a vulnerability that affects Cisco products and applications incorporating the use of the Microsoft SQL Server 2000 or the Microsoft SQL Server 2000 Desktop Engine (MSDE 2000).
A number of vulnerabilities that have been discovered that enable an attacker to execute arbitrary code or perform a denial of service against the server. These vulnerabilities were discovered and publicly announced by Microsoft in their Microsoft Security Bulletins MS02-039, MS02-056, and MS02-061.
All Cisco products and applications that are using unpatched Microsoft SQL Server 2000 or MSDE 2000 are vulnerable.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030126-ms02-061.
To determine if a product is vulnerable, review the list below. If the software versions or configuration information are provided, then only those combinations are vulnerable.
Implementations of the Microsoft SQL Server 2000 and MSDE 2000 are vulnerable to buffer overflows and denial of service attacks. These vulnerabilities can be exploited to execute arbitrary code on a computer system or to disrupt normal operation of the server.
The vulnerabilities have been described in more detail at:
Cisco has published a companion document at http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml which provides network based workarounds to mitigate the effects of these vulnerabilities. Cisco also recommends applying the software based fixes to affected devices to completely resolve the vulnerability.
- Cisco CallManager
Customers running version 3.3(x) should install Cisco's cumulative SQL 2000 Hotfix, SQL2K-MS02-061.exe, from the following location:
- Cisco Unity
Customers should follow the instructions found in http://www.cisco.com/warp/public/788/AVVID/unity3_4_slamworm.html for upgrading their Cisco Unity servers.
- Cisco Building Broadband Service Manager
Software is now available on Cisco's website to patch BBSM 5.1. Version 5.0 and 5.2 are not vulnerable.
Before installing the security patch for this vulnerability, customers should install MSFIX1 and MSFIX2. Java Runtime 1.3.1 must also be installed after MSFIX1, but before MSFIX2.
Java Runtime 1.3.1_06 is available here:
The patch is available at this location:
Instructions for installing service patches on BBSM can be found here:
This issue is being exploited actively and has been discussed in numerous public announcements and messages.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 26-Jan-2003 Initial Public Release Revision 1.1 26-Jan-2003 Added new link (first link) under Details section. Revision 1.2 26-Jan-2003 Added new information in Cisco Building Broadband Service Manager section. Revision 1.3 27-Jan-2003 Added text to include MSDE 2000. Revision 1.4 27-Jan-2003 Removed ICM and Cisco E-mail Manager from Affected Products as they are not vulnerable to this issue. Revision 1.5 03-Feb-2003 Removed 5.0 from vulnerable versions of BBSM, updated Unity fixes with a more detailed link.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.