Database Security Digest – August 2017

DataSunrise Blog

Database Security Incidents

Second-hand hardware and software retailer CeX has suffered a security breach compromising personal data of up to 2 million customers, including names, physical and email addresses, phone numbers, and possibly the encrypted data from expired credit cards up to 2009, the time CeX stopped storing financial data.

A set of voters’ personal data has been exposed by an election managements systems and voting machine vendor Election Systems & Software. By default, Amazon buckets require authentication, but somehow they’ve managed to misconfigure an Amazon bucket containing a backup database with 1.8 million records (names, addresses, date of birth, driver’s license, Social Security numbers, and state identification numbers).

Another example of the lack of cybersecurity organization is a literary agency Bell Lomax Moreton exposing thousands of sensitive files including clients data, royalty payments and even unpublished books. The data was left exposed online on the misconfigured backup drive that required no username and password for viewing sensitive data of the company.

A company called Power Quality Engineering publicly exposed sensitive data, including potential weak points of customer electrical systems also the configurations and locations of some top secret intelligence transmission zones. The leak occurred because the open port used by a remote synchronization utility rsync.

A massive malware campaign resulted in breaching of over 711 million email records including passwords. The dump has been found on a publicly accessible and unsecured server hosted in Netherlands. The stolen records seem to be obtained from older data breaches.

An unknown hacker claims that he has stolen 11 million records from the database containing personal data of National Health Service customers by exploiting unpatched software bugs. However cyber security authorities of NHS reported that only 35,501 lines of administrative data have been accessed. The investigation is ongoing.

The cryptocurrency investment and trading platform Enigma has been hacked right before a crypto token sale during ICO pre-sale. Hackers created a fake ETH address and spammed Enigma’s Slack channel and e-mail newsletter for pre-sale coins. The users have been tricked to send about $500,000 to the fake ETH address. THe incident is quite similar to the CoinDash attack occurred in the previous month.

WikiLeaks has published another set of CIA documents with details on the agency’s program ”ExpressLane” which is developed supposedly to collect biometric data from FBI, NSA, Department of Homeland Security and some other US agencies.

Fancy Bear, an allegedly Kremlin-linked hacker group, has exposed the names of the British football players who failed drug tests in 2015 and who were cleared to use banned medicine during 2010 World Cup.

Database Security Vulnerabilities and RDBMS Updates

PostgreSQL

CVE-2017-7548
CVSS v3 Base Score: 7.5
Description: An authorization flaw in PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 that allows an attacker with no privileges on large objects to rewrite the contents of the object causing denial of service. It can be exploited by network and it requires authentication.

CVE-2017-7547
CVSS v3 Base Score: 8.8
Affected Versions: PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8, 9.6.4.
Description: An authorization flaw that allows an attacker to retrieve passwords from the user mappings defined by foreign server owners. It is remotely exploitable with authentication.

CVE-2017-7546
CVSS Severity Score: 9.8
Affected Versions: PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8, 9.6.4.
Description: An incorrect authentication flaw that allows a remote attacker to gain access to database accounts without assigned passwords. The vulnerability is remotely exploitable without authentication.

MS SQL Server

CVE-2017-8516
CVSS Severity Score: 7.5
Affected Versions: Microsoft SQL Server 2012, Microsoft SQL Server 2014, Microsoft SQL Server 2016
Description: Microsoft SQL Server Analysis Services allows an information disclosure vulnerability when it improperly enforces permissions. Remotely exploitable without authentication.

Microsoft Azure, SAP HANA

CVE-2017-9655
CVSS Severity Score: 5.4
Affected Versions:Microsoft Azure before 2016 R2 SP1, SAP HANA before 2017, Business Analytics before 2016 R2.
Description: A Cross-Site Scripting issue in OSIsoft PI Integrator. Successfull exploitation allows an attacker to upload a malicious script that redirects users to a malicious website. The vulneraility is remotely exploitable, requires authentication.

RDBMS Updates

Greenplum Database 4.3.16.1 Release. A new version of Pivotal Greenplum Database supports s3 protocol for proxies, also now it contains open source data science Python modules and R libraries that can be installed optionally.
Query processing dispatcher of Greenplum database has been enhanced, now it selects a random segment instance as a single reader gang for data consolidation and distribution. It helps to distribute load and thus increase performance.

PostgreSQL 9.6.5 Release.

Percona-Server-5.7.19-17 release is based on MySQL 5.7.19 and includes all the bug fixes in it.