CVE-2002-0649

HIGH severity · CVSS 7.5 · Memory corruption

7.5CVSS HIGH

Summary

Multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE) allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte that causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption, as exploited by the Slammer/Sapphire worm.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges required—

User interaction—

Confidentiality impact—

Integrity impact—

Availability impact—

Exploit probability (EPSS)86%

AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected products we track (1)

Microsoft SQL Server

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://secunia.com/advisories/7945Advisory
http://marc.info/?l=bugtraq&m=102760196931518&w=2
http://marc.info/?l=ntbugtraq&m=102760479902411&w=2
http://www.cert.org/advisories/CA-2002-22.html
http://www.cert.org/advisories/CA-2003-04.html
http://www.kb.cert.org/vuls/id/399260
http://www.kb.cert.org/vuls/id/484891
http://www.securityfocus.com/archive/1/308306/30/26180/threaded