Database Security Digest – April 2017
Here are the most interesting news in data security industry for the month of April 2017.
Kaspersky Lab released their report on cyber attacks for the year 2016, which reveals that last year there were 702 million attempts to launch an exploit. This number is 24.54% bigger than in 2015, when Kaspersky protection tools managed to block over 563 million attempts.
The use of exploits, i.e. malware that uses bugs in software, is constantly growing, because it is the easiest and the most effective way to place malicious code, like banking trojans or ransomware, without the user suspecting anything. The most often exploited applications in corporate world are browsers, Windows OS, Android AS and Microsoft Office, and majority of corporate users experienced an exploit for one of these at least once in 2016.
More than 297,000 users worldwide were attacked by zero-day and heavily obfuscated known exploits, which represents 7% growth compared to 2015.
Interestingly enough despite the number of corporate users attacked by exploits is growing, the number of affected private users decreased by 20% compared to 2015 —from 5.4 million in 2015 to 4.3 million in 2016.
The hacker team calling themselves “Shadow Brokers” has published the third archive with exploits obtained from USA National Security Agency. The collection contains exploits for current systems, including Windows 8 and Windows 2012 and introduces a previously unknown zero-day vulnerability, which currently remains uncorrected. In addition, there are exploits for Windows Vista, Windows 2008, Windows XP and Windows 2003. Microsoft discontinued support for those systems, which means that the vulnerability won’t be fixed.
Another significant exploit involves a banking system SWIFT. SWIFT is a widespread global protocol for secure financial messaging and transactions used by banks all over the globe. Basically, the files presented suggest a prepared attack specifically targeting SWIFT bureaus and services. There is documentation describing the architecture of IT-systems of banks and utilities to extract information from the Oracle database, such as customer lists and SWIFT-messages.
Threat Stack, an AWS technology partner, announced the findings of their analysis of more than 200 companies using AWS. The report reveals that nearly three-quarters of the companies analyzed have at least one critical security misconfiguration that could enable an attacker to gain access directly to private services or the Amazon Web Services console, or could be used to mask criminal activity from monitoring technologies.
One of the most blatant misconfigurations was AWS Security Groups configured to leave SSH wide open to the internet in 73% of the companies analyzed. This simple misconfiguration allows an attacker to attempt remote server access from anywhere, bypassing VPN and firewalls. Another issue is not following a well-recognized practice of requiring multi-factor authentication for AWS users, which easily exposes the system to brute force attacks. This was found in 62% of companies analyzed.
One more complex concern is infrequent software updates. According to the report, fewer than 13% of the companies analyzed were keeping software updates current. In addition, the majority of those unpatched systems are kept online indefinitely, some of them over three years.
Oracle Security Patch
299 vulnerabilities are fixed in the recent Critical Patch Update by Oracle, which involves 39 security fixes for Oracle MySQL and 3 for Oracle Database Server.Oracle Database Server
|CVE#||Component||Privilege Required||Protocol||Remote Exploit without Auth.?||CVSS v3 Score||Attack Vector|
|CVE-2017-3486||SQL*Plus||Local Logon||Oracle Net||No||7.2||Local|
|CVE-2017-3567||OJVM||Create Session, Create Procedure||Multiple||No||5.3||Network|
|CVE#||Component||Sub- component||Protocol||Remote Exploit without Auth.?||CVSS v3 Score||Attack Vector|
|CVE-2017-5638||MySQL Enterprise Monitor||Monitoring: General (Struts 2)||MySQL Protocol||Yes||10.0||Network|
|CVE-2016-6303||MySQL Workbench||Workbench: Security: Encryption (OpenSSL)||MySQL Protocol||Yes||9.8||Network|
|CVE-2017-3523||MySQL Connectors||Connector/J||MySQL Protocol||No||8.5||Network|
|CVE-2017-3306||MySQL Enterprise Monitor||Monitoring: Server||MySQL Protocol||No||8.3||Network|
|CVE-2016-2176||MySQL Enterprise Backup||Backup: ENTRBACK (OpenSSL)||MySQL Protocol||Yes||8.2||Network|
|CVE-2016-2176||MySQL Workbench||Workbench: Security: Encryption (OpenSSL)||MySQL Protocol||Yes||8.2||Network|
|CVE-2017-3308||MySQL Server||Server: DML||MySQL Protocol||No||7.7||Network|
|CVE-2017-3309||MySQL Server||Server: Optimizer||MySQL Protocol||No||7.7||Network|
|CVE-2017-3450||MySQL Server||Server: Memcached||MySQL Protocol||Yes||7.5||Network|
|CVE-2017-3599||MySQL Server||Server: Pluggable Auth||MySQL Protocol||Yes||7.5||Network|
|CVE-2017-3329||MySQL Server||Server: Thread Pooling||MySQL Protocol||Yes||7.5||Network|
|CVE-2017-3600||MySQL Server||Client mysqldump||MySQL Protocol||No||6.6||Network|
|CVE-2016-3092||MySQL Enterprise Monitor||Monitoring: General (Apache Commons FileUpload)||MySQL Protocol||No||6.5||Network|
|CVE-2017-3331||MySQL Server||Server: DML||MySQL Protocol||No||6.5||Network|
|CVE-2017-3453||MySQL Server||Server: Optimizer||MySQL Protocol||No||6.5||Network|
|CVE-2017-3452||MySQL Server||Server: Optimizer||MySQL Protocol||No||6.5||Network|
|CVE-2017-3586||MySQL Connectors||Connector/J||MySQL Protocol||No||6.4||Network|
|CVE-2017-3732||MySQL Enterprise Backup||Backup: ENTRBACK (OpenSSL)||MySQL Protocol||Yes||5.9||Network|
|CVE-2017-3731||MySQL Enterprise Monitor||Monitoring: General (OpenSSL)||MySQL Protocol||Yes||5.9||Network|
|CVE-2017-3454||MySQL Server||Server: InnoDB||MySQL Protocol||No||5.5||Network|
|CVE-2017-3304||MySQL Cluster||Cluster: DD||MySQL Protocol||No||5.4||Network|
|CVE-2017-3455||MySQL Server||Server: Security: Privileges||MySQL Protocol||No||5.4||Network|
|CVE-2017-3305||MySQL Server||Server: C API||MySQL Protocol||No||5.3||Network|
|CVE-2017-3302||MySQL Server||Server: C API||MySQL Protocol||No||5.1||Local|
|CVE-2017-3460||MySQL Server||Server: Audit Plug-in||MySQL Protocol||No||4.9||Network|
|CVE-2017-3456||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network|
|CVE-2017-3458||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network|
|CVE-2017-3457||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network|
|CVE-2017-3459||MySQL Server||Server: Optimizer||MySQL Protocol||No||4.9||Network|
|CVE-2017-3463||MySQL Server||Server: Security: Privileges||MySQL Protocol||No||4.9||Network|
|CVE-2017-3462||MySQL Server||Server: Security: Privileges||MySQL Protocol||No||4.9||Network|
|CVE-2017-3461||MySQL Server||Server: Security: Privileges||MySQL Protocol||No||4.9||Network|
|CVE-2017-3464||MySQL Server||Server: DDL||MySQL Protocol||No||4.3||Network|
|CVE-2017-3465||MySQL Server||Server: Security: Privileges||MySQL Protocol||No||4.3||Network|
|CVE-2017-3467||MySQL Server||Server: C API||MySQL Protocol||Yes||3.7||Network|
|CVE-2017-3469||MySQL Workbench||Workbench: Security : Encryption||MySQL Protocol||Yes||3.7||Network|
|CVE-2017-3589||MySQL Connectors||Connector/J||MySQL Protocol||No||3.3||Local|
|CVE-2017-3307||MySQL Enterprise Monitor||Monitoring: Server||MySQL Protocol||No||3.1||Network|
|CVE-2017-3468||MySQL Server||Server: Security: Encryption||MySQL Protocol||No||3.1||Network|
Critical Vulnerability in SAP HANA
SAP patches a critical code-injection vulnerability (CVE-2017-7691) affecting the TREX search engine integrated into HAN and a dozen of other SAP products. The vulnerability is remotely exploitable, CVSS rated it 9.8.
Another vulnerability has been found in SAP HANA DB. CVE-2016-6143 allows attackers to remotely execute arbitrary code via vectors involving the audit logs.
The release of Oracle MySQL contains bug fixes mainly for InnoDB and mysql_safe and the following security improvements:
- The linked OpenSSL library has been updated to fix number of vulnerabilities.
- The mysql_options() C API function now supports the MYSQL_OPT_SSL_MODE option. The option SSL_MODE_REQUIRED is used for secure connection to the server.