Multiple Vulnerabilities in Microsoft SQL Server 2000 and MSDE

Multiple vulnerabilities exist in SQL Server 2000 and MSDE 2000, the most severe of which can lead to remote compromise of the vulnerable server.

Ken Pfeil

July 11, 2002

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported July 11, 2002, byMicrosoft.

VERSIONS AFFECTED

·        Microsoft SQL Server 2000, all editions

·        Microsoft SQL Server Desktop Engine (MSDE) 2000

 

DESCRIPTION

Multiple vulnerabilities exist inSQL Server 2000 and MSDE 2000, the most severe of which can lead to remotecompromise of the vulnerable server. These vulnerabilities are

 

·         A buffer overrun vulnerability in a procedure that SQLServer uses to encrypt credential information. An attacker who successfullyexploits this vulnerability can gain control over the database and possibly theserver, depending on SQL Server's account privileges.

·        A buffer overrun vulnerability in a procedure relating tothe bulk insertion of data in SQL Server’s tables. An attacker whosuccessfully exploits this vulnerability can gain control over the database andpossibly the server.

·        A privilege elevation vulnerability that results because ofincorrect permissions on the registry key that stores the SQL Server serviceaccount information. An attacker who successfully exploits this vulnerabilitycan gain greater privileges on the system than the systems administrator has.

 

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS02-034(Cumulative Patch for SQL Server) to address this vulnerability and recommendsthat affected users download and apply the appropriate patch mentioned in thebulletin. These patches are cumulative and address all previously discoveredvulnerabilities in the affected product.

 

CREDIT
Discovered by CesarCerrudo and Mark Litchfieldof Next Generation Security Software.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like