Hi. As is becoming more common, one of our customers recently had a security audit.
Shortly after the audit, we received the text below in an email...

Vulnerability: Sybase Adaptive Server Anywhere (ASA) Ping The remote Sybase SQL Anywhere / Adaptive Server Anywhere database is configured to listen for client connection broadcasts, which allows and attacker to see the name and port that the Sybase SQL Anywhere / Adaptive Server Anywhere server is running on. Service: - CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)

Remediation Action: Switch off broadcast listening via the ‘-sb’ switch when starting Sybase.

What is the downside (if any) of using the -sb switch?

Should I recommend another switch, or include the -sb in a group of other switches?

Thanks,
Doug

asked 25 Feb '12, 10:51

dejstone's gravatar image

dejstone
959395069
accept rate: 0%

3

IMHO, any security-related recommendation is only useful when the possible risk is specified.

So, what is the risk you (or your customers) try to minimize? Do you fear any DOS against these ports, or do you see a risk that malicious users could try to connect to the server once they have noticed its existence?

(25 Feb '12, 15:09) Volker Barth

Hi Colleagues,

Regarding the finding, Using NETSTAT -a, the UDP port is still visible locally - independent of the -sb setting

We have a customer who is concerned that this is listener is still visible.

Is there any working solution to really hide/protect this ?

(13 Sep '12, 14:41) donnybyrne
Replies hidden
2

If "-sb 0" is specified, the server will still bind to the UDP port, but will not respond to UDP requests from clients. There is no other use for this UDP port - it cannot be used to access the database server.

If "-sb 0" isn't specified, the only information available through the UDP port is:

  1. server name
  2. port number
  3. server version
  4. names of databases running on that server

By using '-dh' option, database information can be hidden from broadcast requests, and '-sb 0' switch can turn off UDP responses completely. There is no other information that can be gained via this port.

(13 Sep '12, 16:29) Jeff Albion

What version are you using?

I can't give any security recommendations - just tell about the "downside" in terms of changes needed for client apps:

AFAIK, when using -sb 0 ("stealth mode"), clients connecting over TCP/IP must specify the TCP/IP address in the connection string (or SQL CONNECT information) in order to be able to connect to the server.

For v12 clients, you can use the HOST connection parameter. For older clients, you will have to use the HOST protocoll option (and the DoBroadcast=NONE option, I guess).

In case the server is not using the default port (2638), you will also have to add the port number to the HOST connection parameter or add the PORT protocoll option.


In contrast, using "-sb 1" won't affect client connection logic but prevent the server from react to dblocate. However, I haven't checked whether it will stop reacting on port scans.


Just to add: Using NETSTAT -a, the UDP port is still visible locally - independent of the -sb setting - tested with 12.0.1.3554...

permanent link

answered 25 Feb '12, 12:28

Volker%20Barth's gravatar image

Volker Barth
30.0k294448654
accept rate: 32%

edited 25 Feb '12, 15:11

FWIW: For general security questions, you might have a look at the following whitepaper:

Securing SQL Anywhere Server 10.

(However, it addresses the -sb 0 stealth mode just with a few lines.)

(25 Feb '12, 12:44) Volker Barth
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×37

question asked: 25 Feb '12, 10:51

question was seen: 6,975 times

last updated: 13 Sep '12, 16:30