Microsoft SQL Server named pipe denial of service
| mssql-named-pipe-dos (12700) |  Medium Risk |
Description:
Multiple versions of Microsoft SQL Server and Microsoft Desktop Engine (MSDE) are vulnerable to a denial of service, caused by a vulnerability in a named pipe. SQL server uses a specific named pipe to communicate with the server. A remote attacker with access to the local intranet can send an overly large packet to the named pipe to cause the server to stop responding and hang. The server must be restarted to regain normal functionality.
Consequences:
Denial of Service
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-031. See References.
Refer to @Stake Advisory A072303-2 for upgrade and workaround information. See References.
References:
- @stake Inc. Security Advisory A071202-1: Microsoft SQL Server DoS.
- @stake Inc. Security Advisory A072303-2: Microsoft SQL Server DoS.
- CIAC Information Bulletin N-125: Cumulative Patch for Microsoft SQL Server.
- Microsoft Security Bulletin MS03-031: Cumulative Patch for Microsoft SQL Server (815495).
- BID-8261: Microsoft SQL Server / MSDE Multiple Vulnerabilities
- BID-8274: Microsoft SQL Server / MSDE Named Pipe Denial Of Service Vulnerability
- CVE-2003-0231: Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe.
- US-CERT VU#918652: Microsoft SQL Server becomes unresponsive when large packet is sent to specific named pipe
Platforms Affected:
- Microsoft Data Engine 1.0
- Microsoft SQL Server 2000
- Microsoft SQL Server 7.0
- Microsoft SQL Server Desktop Engine 2000
Reported:
Jul 23, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net