Guide to Microsoft SQL Server Browser Service Access Amplification Issues

Posted:  May 14th, 2018

 

Description:

 

The SQL Server Browser service enumerates SQL Server information on the network. In such way attackers can use SQL Server clients to browse the current infrastructure and retrieve a list of running SQL Server instances.

 

Microsoft SQL Server Browser service listens on port 1434/udp and accepts unauthenticated requests by using SQL Server Resolution Protocol (SSRP). When this feature is enabled and publicly accessible from the Internet, attackers may use this service to launch denial of service attacks (amplification attacks using forged UDP packets).

 

Verifying if your server/device is vulnerable:

 

Replace xx.xx.xx.xx by your server's IP address.

 

nmap -Pn -sV -sU -p U:1434 xx.xx.xx.xx

 

Example of output of a vulnerable server:

 

PORT     STATE SERVICE  VERSION

1434/udp open  ms-sql-m Microsoft SQL Server 11.0.2100.60 (ServerName: xxxxx; TCPPort: 1433)

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 

 Resolution:

 

You can choose one of the following solutions to secure your server:

 

1) Add a firewall rule to block all the incoming connections to your server's port 1434/udp from the Internet

 

2) Add firewall rules to allow connections to this service (on port 1434/udp) only from authorized endpoints

 

3) Disable the SQL Server Browser Service entirely (this is a valid option if you run only one instance of SQL Server and it is on the default port).

 

External references:

http://www.networkinghowtos.com/howto/what-is-the-microsoft-sql-browser-service/

http://kurtaubuchon.blogspot.ca/2015/01/mc-sqlr-amplification-ms-sql-server.html

https://technet.microsoft.com/en-us/library/ms181087%28v=sql.105%29.aspx

http://www.greensql.com/content/sql-server-security-best-practices

https://msdn.microsoft.com/en-us/library/ms175483.aspx