Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

CERT-Bund-Reports

Openly accessible MSSQL browser services

Microsoft SQL-Server (MSSQL) includes a 'browser service' which lets users connect to instances of the database engine that are not listening on the default port, without knowing the port number.

Problem

In addition to disclosing information about the network the SQL-Server is running on (which can be used by potential attackers for preparation of further attacks), openly accessible MSSQL browser services can be abused for DDoS reflection attacks against third parties.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if an MSSQL browser service is openly accessible from the Internet, connect to the MS-SQL server using 'netcat' as follows:

$ netcat -u 192.168.45.67 1434

Then, press <Ctrl+B> followed by <Enter>.

An openly accessible MSSQL browser service will return a response like this:

ServerName;S16362421;InstanceName;MSSQLSERVER2012;

IsClustered;No;Version;11.0.2100.60;tcp;49511;np;

\\S16462341\pipe\MSSQL$MSSQLSERVER2012\sql\query;;

Otherwise, there will be no response.

Solution

If the MSSQL browser service is not needed, disable it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 1434/udp on the firewall.

Microsoft recommends:
"The SQL Server Browser service lets users connect to instances of the Database Engine that are not listening on port 1433, without knowing the port number. To use SQL Server Browser, you must open UDP port 1434. To promote the most secure environment, leave the SQL Server Browser service stopped, and configure clients to connect using the port number."
(https://msdn.microsoft.com/library/ms175043.aspx)

Further information

FAQ

Similar topics

Back to HowTo