Database Security Digest – February 2017

The time has come to introduce you to the latest news in the sphere of database security.

Ransom attacks switched to MySQL

Ransomware attacks on misconfigured MongoDB and CouchDB continued. Blackmailers have also started targeting MySQL databases. The attack scheme remains pretty simple: detect a database with default settings, brute-force the ‘root’ password, delete the database content and demand financial support for restoring the data.

This kind of attack can be easily avoided, if you apply the basic security measures:

  • Install the latest version of your RDBMS.
  • Do not leave the default password for root users. Assign strong combination for passwords, use random password generators.
  • Minimize internet facing services.
  • Implement activity monitoring tools to be aware of the current situation of your internet-accessible servers.

SQL injection vulnerability in WordPress

A severe remotely exploitable vulnerability has been found in NextGEN Gallery plugin of WordPress. It allows an unauthenticated user to inject an SQL code and retrieve sensitive data from victim’s website database, including hashes of WordPress user passwords. Affected websites are those that use NextGEN Basic TagCloud Gallery or if it is allowed for users to submit posts.

SQL injection is made possible due to invalid validation of query parameters. As a result, the info typed by a user will be added to the SQL query without the correct filtration. The vulnerability has been patched in NextGEN Gallery 2.1.79.

Leaking Cloudflare

Cloudflare provides Internet security and performance services to millions of websites. It turned out the CloudFlare service had a huge bug and it was leaking sensitive data from September 2016 through February 2017.

According to Cloudflare reports, the problem occurred in HTML parser presenting in the following three features: Automatic HTTP Rewrites, Email Obfuscation, Server-Side Excludes. The bug caused buffer overflow on the edge servers, thus they returned memory containing private information such as authentication tokens, HTTP cookies, HTTP POST bodies and some other critical data. All the three features causing memory leakage have been immediately disabled as soon as the company noticed the problem.

Among the victims are Uber, Fitbit, OK Cupid and other web-based services. The impact of the leakage is considered to be minimal. Cloudflare, collaborating with search engine providers, deleted the cached memory containing leaked data from search engines before announcing about the bug. The company also declared that no customer SSL keys have been leaked because an isolated NGINX instance is used to terminate SSL connections.

SHA-1 on the way out

Researchers from Google have performed the first practical collision attack for the cryptographic hash function SHA-1. The attack is based on colliding of two PDF files. They’ve managed to obtain the SHA-1 digital signature on the first PDF file and used it to extract the second PDF file by imitating the signature.

The computations take years and the cost of the attack is estimated up to $120,000, but it is believed to lower in the future. Researchers claim that their method is 100,000 time faster than a brute force attack.

Many organizations have already replaced SHA-1 with SHA-2 and SHA-3 as the algorithm is no longer considered secure against well-funded opponents. Google, Microsoft, Apple, Mozilla have announced that by 2017 their browsers will stop accepting SHA-1 SSL certificates.

Database vulnerabilities and RDBMS releases

CVE-2017-3302

Affected versions: Oracle MySQL before 5.6.21 and 5.7.x before 5.7.5 and MariaDB through 5.5.54, 10.0.x through 10.0.29, 10.1.x through 10.1.21, and 10.2.x through 10.2.3
CVSS Severity: 7.5
Allows an unauthenticated attacker without privileges to cause crash in libmysqlclient.so

Percona Server 5.7.17-11 release adds two new features and fixes known bugs. The list of important changings you can see below:

  • Support for per-column VARCHAR/BLOB compression for XtraDB storage engine. To improve compression ratio for short individual rows like JSON data, compression dictionary support added.
  • Re-implementation of Kill Idle Transactions feature solves server crashes and now it is can be used in any transactional storage engine (TokuDB, MyRocks). Connection socket read timeout is set instead of periodical scanning of the internal InnoDb transactions.
  • To avoid privilege escalation, mysq_safe limits the use of rm and chown. chown command can now be used only for /var/log directory.

There has also been a release of Percona Server for MongoDB 3.4.

The first release candidate (RC) has been released in the MariaDB 10.2 series. To see what’s new, refer to release notes.

PostgreSQL 9.6.2, 9.5.6, 9.4.11, 9.3.16 and 9.2.20 released. It patches over 75 bugs and fixes some known issues. Below are the most notable ones:

  • A race condition occurred when calling the CREATE INDEX CONCURRENTLY command on a column that hasn’t been indexed before, which could lead to data corruption. The issue has been resolved.
  • Improvements of the stability of visible data and write-ahead-logging.
Database Security Digest – January
Database Security Digest – December
Database Security Digest – November