CVE-2008-5416

Name of the Vulnerable Software and Affected Versions Microsoft SQL Server 2000 versions 8.00.2039 through 8.00.2050 Microsoft SQL Server 2005 version 9.00.1399.06 Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) version SP4 Microsoft SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 versions SP1 through SP2 Windows Internal Database (WYukon) version SP2

Description A remote code execution issue exists due to the way SQL Server checks parameters in the sp replwritetovarbin extended stored procedure. This could allow an attacker to execute arbitrary code if they have access to an affected system or if a SQL injection vulnerability exists. An attacker who successfully exploits this issue could gain complete control of the system, allowing them to install programs, view, change, or delete data, or create new accounts.

Recommendations For Microsoft SQL Server 2000 versions 8.00.2039 through 8.00.2050, update to a version that includes the fix for this issue. For Microsoft SQL Server 2005 version 9.00.1399.06, update to a version that includes the fix for this issue. For Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) version SP4, update to a version that includes the fix for this issue. For Microsoft SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 versions SP1 through SP2, update to a version that includes the fix for this issue. For Windows Internal Database (WYukon) version SP2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the sp replwritetovarbin extended stored procedure until a patch is available.