Database Security Digest – December 2016
By tradition, we introduce you to the most massive incidents in the sphere of information security took place in December.

Some new information occurred about the infamous hack of Yahoo!Mail service, related to the second world's most popular search engine. Now we are talking about 1 billion user accounts being stolen. Hacker (allegedly the nation state operative linked to the 2014 breach) has gained access to proprietary Yahoo code in order to forge cookies.

The hack against an unnamed bank of Russia has been reported. There is not much open information about the incident so far, we only know that intruders stole about $1.4 million by hacking the core banking system.

Video sharing website Dailymotion has suffered a data breach. 82,5 million user accounts are compromised, including user IDs, emails, and hashed passwords. The passwords are protected with the Bcrypt algorithm, which determined attackers can overpass.

PayAsUGym fitness firm has been hacked and compromised personal details of 300,000 customers. The firm claims that passwords were encrypted, but the firm used discredited MD5 algorithm with unsalted hashes. Another example of irresponsible attitude toward security matters.

The famous hacker/pentester Kaputskiy has breached website of the National Assembly of Ecuador and leaked some of the data. Earlier this month Kaputskiy with his friend Kasimierz L has hacked the official website of the Argentinian Ministry of Industry. Both attacks have been performed exploiting SQL injection vulnerability.

A major cyber-attack has been performed against German steel giant ThyssenKrupp targeted to steal technological know-how and research. The early detection of the attack has helped to prevent more serious consequences. The investigation is pending.

Database Security

Below are the vulnerabilities have been found in December.

Oracle

CVE-2016-9013

In versions of Django before 1.8.16, 1.9.11, and 1.10.3 a hardcoded password is used for a temporary database user created when running Oracle database tests. Exploiting makes easier for a remote attacker to get access to the database server by specifying a password in the database settings TEST dictionary.

CVSS Severity: 9.8 Critical

MySQL

CVE-2016-6664

It has been mentioned in October digest, and now we have more information about it.

When using file-based logging, allows local users that have access to the mysql account to get root privileges with help of symlink attack on error logs.

CVSS Severity: 7.0 High

CVE-2016-6663

It also has been mentioned in the previous digests.

It allows local users with low permissions to gain privileges by leveraging use of the my_copystat function by the REPAIR TABLE command targeted to MyISAM table.

CVSS Severity: 7.0 High

CVE-2016-9864

Gives the opportunity for an attacker with crafted username or a table name to inject SQL statements in the tracking functionality that would run with the control user privileges. The exploitation gives read and write access to the tables of the configuration storage database, if the control user has the required privileges, an attacker can read some tables of the MySQL database.

CVSS Severity: 7.5 High

CVE-2016-6607

XSS issued in phpMyAdmin. Crafted column content of Zoom search can be used to trigger an XSS attack. Certain fields in GIS editor are not properly escaped, so they can also be used for an XSS attack.

CVSS Severity: 6.1 Medium

MariaDB

CVE-2016-7740

It makes easier for local users to discover AES keys by exploiting cache-bank timing differences.

CVSS Severity: 5.5 Medium

Greenplum Database

CVE-2016-6656

Affected versions: Pivotal Greenplum before 4.3.10.0

Arbitrary commands can be injected into the system exploiting the vulnerability in the process of creation of external tables using GPHDFS. Exploitation requires superuser ‘gpadmin’ access to the system or GPHDFS protocol permissions.

CVSS Severity: 7.2 High

MySQL 5.6.35

The new release contains fixes of known bugs, performance and security enhancements.

Security changes include:

  • The chown command now can only be used when the target directory is /var/log. If the directory for the Unix socket is missing, an error occurs. Unsafe usage of rm or chown commands in mysql_safe section of a cng option file could lead to the privilege escalation.
  • Now, the --ledir option is not accepted in option files, only on the command line.
  • Initialization scripts in the new version create the error log file provided the base directory is /var/lib or /var/log.
  • Unused system files for SLES are removed.
  • Enterprise Encryption for MySQL Enterprise Edition now enables server administrators to impose limits on maximum key length by setting environment variables. These can be used to prevent clients from using excessive CPU resources by passing very long key lengths to key-generation operations.
  • The Connection-control Plugin. After a certain number of consecutive failed attempts to access MySQL user accounts, the delay in server response is increased. The new plugin is designed to slow down brute force attacks.

Greenplum Database 4.3.11.0

Greenplum Database 4.3.11.0 includes the following enhancements:

  • Improved PQO Query Execution
  • Enhanced Query Cancellation
  • Improved Query Execution of Hash Aggregates
  • Improved Greenplum Database Memory Management
  • Improved Management of Deleted Rows in Persistent Tables
  • Enhanced PL/Java Environment for Development
  • gptransfer Transfers Data from Partitioned to Non-partition Tables

Teradata Database 16.00

Teradata Database 16.00 has a lot of new features and enhancements following strategic categories of Adaptive Execution, Big Data & UDA Enabling, Extreme Performance, High Availability, Industry Compatibility, Quality and Supportability, Simplicity and Ease of Use. Detailed release notes you can find here.

According to security matters the new release contains the following improvements:

Lightweight LDAP Authorization. It allows users to utilize existing directory service to authorize Teradata Database users, there is no need to modify their director to include Teradata-specific schema, structures, and entries. It works with LDAPv3 compliant directory servers (LDAP and KRB5). It has improved logon performance compared to legacy authorization mechanisms.

The tdgssauth Tool is used to test TDGSS security mechanism configurations on Teradata Database nodes and Unity Director servers. It tests policy failures offline, correct authentication, and authorization. Although tdgssauth cannot test the Proxy mechanisms, it is a robust tool to enforce security policy allowing live debugging without causing the database to stop executing.

User Selectable Install Directory (USD). It is used to establish secure connections between a client and a server with help of Teradata Generic Security Service (GSS) interface. Now the root folder or drive for the installation can be specified by the user.

Database Security Digest – November
Database Security Digest – October
Database Security Digest – September