SQL Server Security Bulletin

Introduction:

This document analyzes the information given in the Microsoft bulletin regarding the Security patch that needs to be applied in all SQL Servers version 7 and above.

Scope of the Document:

1. Information regarding the Bulletin
2. Are we affected?
3. Deployment Plans and Guidance
4. Other points to ponder

Bulletin Information:

Bulletin URL: http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx
http://support.microsoft.com/kb/941203#appliesto

Software Affected: SQL Server 7, 2000 and 2005 (32 bit and 64 bit) and (GDR and QFE releases)

security_bulletin_1

The bulletin describes that a security patch has been released for known vulnerabilities in SQL Server and its components. The known vulnerabilities are listed below.

Memory Page Reuse Vulnerability – CVE-2008-0085
Convert Buffer Overrun – CVE-2008-0086
SQL Server Memory Corruption Vulnerability – CVE-2008-0107
SQL Server Buffer Overrun Vulnerability – CVE-2008-0106

With this vulnerability, a database user with access can read other users data with custom applications as SQL Server does not initialize the memory pages before reallocating memory to users.

Microsoft has not received any information from customers or other users stating that their system is exploited using this vulnerability and information regarding this vulnerability was brought up through responsible disclosure.

Installing this security path creates a new system stored procedure sp_clean_db_free_space that can be used to clear the residual pages in the memory. This procedure cleans up all files in the database.

Mitigation Factor: Only users with database access can exploit this vulnerability.

Any other Workarounds:

Microsoft Suggests to have the configuration option Common Criteria Compliance set to 1. But enabling this option would result in performance degradation of the system and application.

This vulnerability exists in SQL convert function that allows authenticated user to gain elevated control over the system.

Microsoft has not received any information from customers or other users stating that their system is exploited using this vulnerability and information regarding this vulnerability was brought up through responsible disclosure.

Mitigation Factor: Only users with database access can exploit this vulnerability.

Any other Workarounds: None

This vulnerability exists in SQL server that allows authenticated user to gain elevated control over the system.

Microsoft has not received any information from customers or other users stating that their system is exploited using this vulnerability and information regarding this vulnerability was brought up through responsible disclosure.

Mitigation Factor: Only users with database access can exploit this vulnerability.

Any other Workarounds: None

This vulnerability exists in SQL Server function that allows authenticated user to gain elevated control over the system.

Microsoft has not received any information from customers or other users stating that their system is exploited using this vulnerability and information regarding this vulnerability was brought up through responsible disclosure.

Mitigation Factor: Users with database access can exploit this vulnerability. With SQL Server 2005, services by default run on non-admin accounts. Also SQL Server 2005 prompts for a domain account for services.

Any other Workarounds: None

We can use Microsoft Baseline Security Analyzer (MBSA 2.1) to determine the vulnerabilities in the System. MBSA 2.1 detects these vulnerabilities and reports of any other missing security updates too.

Download URL:
http://technet.microsoft.com/en-us/security/cc184923.aspx

Deployment Instructions are available in http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx.

Verification after Installation: Executing the query Select @@version should result with the version number given below.

security_bulletin_3

Also the information can be found in the log file on the directory listed below. SQL Server 2000 – %WINDIR%SQLHotfix SQL Server 2005 – %PROGRAMFILES%Microsoft SQL Server90Setup BootstrapLOGHotfix

Known Issues:

There are few known issues with this update as listed below.

1. Dependent services remain in stopped state even though SQL Services are started. We have to check and verify that all dependent services are started.
2. SQL Server services or components that are in disabled state will be updated. This security patch update requires that all services to be enabled and running so that the installer detects them and applies the necessary patches.
3. Upon unsuccessful completion, we need to reboot the system so that the changes are rolled back.

953743 (http://support.microsoft.com/kb/953743/) Supported method for applying updates to SQL Server 7.0
953742 (http://support.microsoft.com/kb/953742/) SQL Server 2000 and MSDE 2000 installers stop dependent services
953741 (http://support.microsoft.com/kb/953741/) SQL Server 2005 installers stop dependent services
953740 (http://support.microsoft.com/kb/953740/) How to identify and enable disabled SQL Server instances in SQL Server 2000
953739 (http://support.microsoft.com/kb/953739/) SQL Server 2005 installers do not update an instance of the SQL Server service that is in a disabled state.

Other Points to Ponder:

This patch is included in SP3 of SQL Server 2005 which is scheduled to release in Third Quarter of 2008. By the time earning freeze is over, we should be having SP3 on which we can schedule to install so that this patch too is applied.

http://blogs.technet.com/dataplatforminsider/archive/2008/04/15/sql-server-2005-sp3-coming-soon.aspx
http://blogs.technet.com/beatrice/archive/2008/04/16/sql-2005-sp3-announced.aspx
http://blogs.technet.com/dataplatforminsider/archive/2008/01/25/microsoft-sql-server-2008-roadmap-clarification.aspx

Leave a Reply

Leave a comment

Your email address will not be published. Required fields are marked *

*


x

Related Posts

Dropping a Subscriber from AG Publisher
Today one of my colleague reached out to me for an help to drop a subscriber from an publisher which is participating in Always On. We seen same...
Batch Script to Deploy Multiple SQL files (Version 2)
I took very long break to keep the site up to date with my learning. Few years back I wrote an article to deploy multiple scripts using batch fi...
Provisioning Azure Cosmos DB using Powershell
Azure Cosmos database is one of the NoSQL database that is available in Microsoft Azure cloud platform. Azure Cosmos db is getting more popular c...
powered by RelatedPosts