Database Security Digest – April 2017

Here are the most interesting news in data security industry for the month of April 2017.

Kaspersky Lab released their report on cyber attacks for the year 2016, which reveals that last year there were 702 million attempts to launch an exploit. This number is 24.54% bigger than in 2015, when Kaspersky protection tools managed to block over 563 million attempts.

The use of exploits, i.e. malware that uses bugs in software, is constantly growing, because it is the easiest and the most effective way to place malicious code, like banking trojans or ransomware, without the user suspecting anything. The most often exploited applications in corporate world are browsers, Windows OS, Android AS and Microsoft Office, and majority of corporate users experienced an exploit for one of these at least once in 2016.

More than 297,000 users worldwide were attacked by zero-day and heavily obfuscated known exploits, which represents 7% growth compared to 2015.

Interestingly enough despite the number of corporate users attacked by exploits is growing, the number of affected private users decreased by 20% compared to 2015 —from 5.4 million in 2015 to 4.3 million in 2016.

Shadow brokers published exploits

The hacker team calling themselves “Shadow Brokers” has published the third archive with exploits obtained from USA National Security Agency. The collection contains exploits for current systems, including Windows 8 and Windows 2012 and introduces a previously unknown zero-day vulnerability, which currently remains uncorrected. In addition, there are exploits for Windows Vista, Windows 2008, Windows XP and Windows 2003. Microsoft discontinued support for those systems, which means that the vulnerability won’t be fixed.

Another significant exploit involves a banking system SWIFT. SWIFT is a widespread global protocol for secure financial messaging and transactions used by banks all over the globe. Basically, the files presented suggest a prepared attack specifically targeting SWIFT bureaus and services. There is documentation describing the architecture of IT-systems of banks and utilities to extract information from the Oracle database, such as customer lists and SWIFT-messages.

Widespread AWS Misconfiguration Opens Cloud Environments to Attack

Threat Stack, an AWS technology partner, announced the findings of their analysis of more than 200 companies using AWS. The report reveals that nearly three-quarters of the companies analyzed have at least one critical security misconfiguration that could enable an attacker to gain access directly to private services or the Amazon Web Services console, or could be used to mask criminal activity from monitoring technologies.

One of the most blatant misconfigurations was AWS Security Groups configured to leave SSH wide open to the internet in 73% of the companies analyzed. This simple misconfiguration allows an attacker to attempt remote server access from anywhere, bypassing VPN and firewalls. Another issue is not following a well-recognized practice of requiring multi-factor authentication for AWS users, which easily exposes the system to brute force attacks. This was found in 62% of companies analyzed.

One more complex concern is infrequent software updates. According to the report, fewer than 13% of the companies analyzed were keeping software updates current. In addition, the majority of those unpatched systems are kept online indefinitely, some of them over three years.

Oracle Security Patch

299 vulnerabilities are fixed in the recent Critical Patch Update by Oracle, which involves 39 security fixes for Oracle MySQL and 3 for Oracle Database Server.

Oracle Database Server
CVE#ComponentPrivilege RequiredProtocolRemote Exploit without Auth.?CVSS v3 ScoreAttack Vector
CVE-2017-3486SQL*PlusLocal LogonOracle NetNo7.2Local
CVE-2017-3567OJVMCreate Session, Create ProcedureMultipleNo5.3Network
CVE-2016-6290PHPNoneMultipleYes9.8Network


Oracle MySQL
CVE#ComponentSub- componentProtocolRemote Exploit without Auth.?CVSS v3 ScoreAttack Vector
CVE-2017-5638MySQL Enterprise MonitorMonitoring: General (Struts 2)MySQL ProtocolYes10.0Network
CVE-2016-6303MySQL WorkbenchWorkbench: Security: Encryption (OpenSSL)MySQL ProtocolYes9.8Network
CVE-2017-3523MySQL ConnectorsConnector/JMySQL ProtocolNo8.5Network
CVE-2017-3306MySQL Enterprise MonitorMonitoring: ServerMySQL ProtocolNo8.3Network
CVE-2016-2176MySQL Enterprise BackupBackup: ENTRBACK (OpenSSL)MySQL ProtocolYes8.2Network
CVE-2016-2176MySQL WorkbenchWorkbench: Security: Encryption (OpenSSL)MySQL ProtocolYes8.2Network
CVE-2017-3308MySQL ServerServer: DMLMySQL ProtocolNo7.7Network
CVE-2017-3309MySQL ServerServer: OptimizerMySQL ProtocolNo7.7Network
CVE-2017-3450MySQL ServerServer: MemcachedMySQL ProtocolYes7.5Network
CVE-2017-3599MySQL ServerServer: Pluggable AuthMySQL ProtocolYes7.5Network
CVE-2017-3329MySQL ServerServer: Thread PoolingMySQL ProtocolYes7.5Network
CVE-2017-3600MySQL ServerClient mysqldumpMySQL ProtocolNo6.6Network
CVE-2016-3092MySQL Enterprise MonitorMonitoring: General (Apache Commons FileUpload)MySQL ProtocolNo6.5Network
CVE-2017-3331MySQL ServerServer: DMLMySQL ProtocolNo6.5Network
CVE-2017-3453MySQL ServerServer: OptimizerMySQL ProtocolNo6.5Network
CVE-2017-3452MySQL ServerServer: OptimizerMySQL ProtocolNo6.5Network
CVE-2017-3586MySQL ConnectorsConnector/JMySQL ProtocolNo6.4Network
CVE-2017-3732MySQL Enterprise BackupBackup: ENTRBACK (OpenSSL)MySQL ProtocolYes5.9Network
CVE-2017-3731MySQL Enterprise MonitorMonitoring: General (OpenSSL)MySQL ProtocolYes5.9Network
CVE-2017-3454MySQL ServerServer: InnoDBMySQL ProtocolNo5.5Network
CVE-2017-3304MySQL ClusterCluster: DDMySQL ProtocolNo5.4Network
CVE-2017-3455MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo5.4Network
CVE-2017-3305MySQL ServerServer: C APIMySQL ProtocolNo5.3Network
CVE-2017-3302MySQL ServerServer: C APIMySQL ProtocolNo5.1Local
CVE-2017-3460MySQL ServerServer: Audit Plug-inMySQL ProtocolNo4.9Network
CVE-2017-3456MySQL ServerServer: DMLMySQL ProtocolNo4.9Network
CVE-2017-3458MySQL ServerServer: DMLMySQL ProtocolNo4.9Network
CVE-2017-3457MySQL ServerServer: DMLMySQL ProtocolNo4.9Network
CVE-2017-3459MySQL ServerServer: OptimizerMySQL ProtocolNo4.9Network
CVE-2017-3463MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo4.9Network
CVE-2017-3462MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo4.9Network
CVE-2017-3461MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo4.9Network
CVE-2017-3464MySQL ServerServer: DDLMySQL ProtocolNo4.3Network
CVE-2017-3465MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo4.3Network
CVE-2017-3467MySQL ServerServer: C APIMySQL ProtocolYes3.7Network
CVE-2017-3469MySQL WorkbenchWorkbench: Security : EncryptionMySQL ProtocolYes3.7Network
CVE-2017-3589MySQL ConnectorsConnector/JMySQL ProtocolNo3.3Local
CVE-2017-3590MySQL ConnectorsConnector/PythonNoneNo3.3Local
CVE-2017-3307MySQL Enterprise MonitorMonitoring: ServerMySQL ProtocolNo3.1Network
CVE-2017-3468MySQL ServerServer: Security: EncryptionMySQL ProtocolNo3.1Network

Critical Vulnerability in SAP HANA

SAP patches a critical code-injection vulnerability (CVE-2017-7691) affecting the TREX search engine integrated into HAN and a dozen of other SAP products. The vulnerability is remotely exploitable, CVSS rated it 9.8.

Another vulnerability has been found in SAP HANA DB. CVE-2016-6143 allows attackers to remotely execute arbitrary code via vectors involving the audit logs.

MySQL 5.6.36 Release

The release of Oracle MySQL contains bug fixes mainly for InnoDB and mysql_safe and the following security improvements:

  • The linked OpenSSL library has been updated to fix number of vulnerabilities.
  • The mysql_options() C API function now supports the MYSQL_OPT_SSL_MODE option. The option SSL_MODE_REQUIRED is used for secure connection to the server.
Database Security Digest – March
Database Security Digest – February
Database Security Digest – January