Database Security Digest – July 2017

Database Security Digest – July 2017

While the world awaits for the new exploits of CIA leak from The Shadow Brokers, cybercrooks are keeping busy. Attackers hack banks, adopt simple and fast SQL injection scanners, and start hunting for cryptocurrency managing to steal a truckload of Etherium right during the ICO. Meanwhile, tonnes of personal data is leaked and a bunch of security vulnerabilities is patched by Oracle and SAP. We present you a quick digest of the latest database security events.

Hijacking and stealing

Unknown party hacked CoinDash, a crypto assets managing platform. Criminals inserted the fraudulent Etherium address and gained $7.7 million in cryptocurrency. The attack occurred during 15 minutes of prior to the public ICO procedures. CoinDash keeps its head up and investigates the incident stating that investors will be credited anyway.

New Threats

The Shadow Brokers, famous for leaking vulnerabilities that were further used in WannaCry and NotPetya, must have dumped a new set of exploits for those who’ve subscribed for $21,0000 a month. Moreover, they’ve promised to publish more leaks including data on nuclear missiles. Sounds fun.

There is also a new WikiLeaks publication about three allegedly pertaining to CIA hacking tools (Achilles, Aeris and SeaPea). The tools are targeted to trojanize macOS DMG installers, implant malware for POSIX systems, and persist infections on Mac OS X systems between system reboots.

Talented SQL Injection Scanner

Searching for SQL injection vulnerabilities becomes faster and easier with the help of a SQL injection scanner called Katyusha Scanner managed via Telegram messenger or web interface. It is based on an open-source penetration testing tool Arachni Scanner. The speed of the scan is significant. The tool also enables scanning a list of websites instead of examining them one by one. Once the vulnerable site is detected, Katyusha can automatically exploit the flaw, deliver a web shell or dump the databases. According to ads, the tool can also be used to scan and export email/password credentials and login brute-force attacks. Supports error-based detection, blind SQL injection using timing attacks and differential analysis techniques for a wide range of RDBMSs.

The tool has become quite popular, now the Pro and Lite versions of the service cost $500 and $250, or $200 for monthly license.

Miscofigured AWS storage

Misconfigured Amazon Web Services storage servers are leaking data. Verizon has exposed phone numbers, names and some PIN codes of 6 million customers. Earlier this month, a pro wrestling company WWE notified that personal data of 3 million accounts have been exposed online. In both cases, the data was stored on AWS Simple Storage Service (S3) buckets. Leakage occurred due to misconfiguration of access privilege on buckets. Privilege settings can be changed here.

Breaching a Bank

Italy’s largest bank UniCredit has been hacked and exposed personal data and International Bank Account Numbers (IBAN) of 400,000 loan applicants. The breach was detected only now but the initial compromise was ten months ago.

SAP Security Patch

SAP has released a patch fixing security flaws in almost a dozen of products, including a denial of service vulnerability in SAP Host Agent designed to monitor SAP instances, databases, and operating systems. The flaw affects HANA 1, HANA 2 and allows an attacker to remotely restart the agent without authorization via malicious SOAP request.

Another critical flaw has been found in SAP’s client/server point-of-sale (PoS) solution. It allows an attacker to access a service without authorization due to a series missing authorization checks.

Kerberos Flaws

CVE-2017-8495
CVSS 3 Severity Score: 8.1
An elevation of privilege vulnerability on various Windows OS versions occurring due to Kerberos falling back to NTLM Authentication Protocol as the default authentication protocol. Exploiting doesn’t require authentication and can be performed remotely.

CVE-2017-8495
CVSS 3 Severity Score: 7.5
A vulnerability in Kerberos authentication protocol on various Windows OS versions that allows an attacker to bypass Extended Protection for Authentication feature when Kerberos fails to prevent tampering with the SNAME field during ticket exchange.

Oracle Critical Patch Update

Oracle Critical Patch Update contains 308 security fixes including 5 for Oracle Database Server and 30 for Oracle MySQL.

Oracle Database Server Vulnerabilities

CVEComponentPackage and/or Privilege RequiredProtocolRemote Exploit without Auth.CVSS 3 ScoreAttack VectorAttack Complexity
CVE-2017-10202OJVMCreate Session, Create ProcedureMultipleNo9.9NetworkLow
CVE-2014-3566DBMS_LDAPNoneLDAPYes6.8NetworkHigh
CVE-2016-2183Real Application ClustersNoneSSL/TLSYes6.8NetworkHigh
CVE-2017-10120RDBMS SecurityCreate Session, Select Any DictionaryOracle NetNo1.9LocalHigh
CVE-2016-3092Oracle REST Data ServicesNoneMultipleYes7.5NetworkLow

Oracle MySQL Vulnerabilities

 
CVEComponentPackage and/or Privilege RequiredProtocolRemote Exploit without Auth.?CVSS 3 ScoreAttack VectorAttack Complexity
CVE-2016-4436MySQL Enterprise MonitorMonitor: General (Apache Struts 2)HTTP over TLSYes9.8NetworkLow
CVE-2017-5651MySQL Enterprise MonitorMonitoring: Server (Apache Tomcat)HTTP over TLSYes9.8NetworkLow
CVE-2017-5647MySQL Enterprise MonitorMonitoring: Server (Apache Tomcat)HTTP over TLSYes7.5NetworkLow
CVE-2017-3633MySQL ServerServer: MemcachedMemcachedYes6.5NetworkHigh
CVE-2017-3634MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLow
CVE-2017-3732MySQL ConnectorsConnector/C (OpenSSL)MySQL ProtocolYes5.9NetworkHigh
CVE-2017-3732MySQL ConnectorsConnector/ODBC (OpenSSL)MySQL ProtocolYes5.9NetworkHigh
CVE-2017-3732MySQL ServerServer: Security: Encryption (OpenSSL)MySQL ProtocolYes5.9NetworkHigh
CVE-2017-3635MySQL ConnectorsConnector/CMySQL ProtocolNo5.3NetworkHigh
CVE-2017-3635MySQL ServerC APIMySQL ProtocolNo5.3NetworkHigh
CVE-2017-3636MySQL ServerClient programsMySQL ProtocolNo5.3LocalLow
CVE-2017-3529MySQL ServerServer: UDFMySQL ProtocolNo5.3NetworkHigh
CVE-2017-3637MySQL ServerX PluginX ProtocolNo5.3NetworkHigh
CVE-2017-3639MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkLow
CVE-2017-3640MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkLow
CVE-2017-3641MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkLow
CVE-2017-3643MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkLow
CVE-2017-3644MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkLow
CVE-2017-3638MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLow
CVE-2017-3642MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLow
CVE-2017-3645MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLow
CVE-2017-3646MySQL ServerX PluginX ProtocolNo4.9NetworkLow
CVE-2014-1912MySQL ClusterCLSTCONF (Python)MySQL ProtocolYes4.8NetworkHigh
CVE-2017-3648MySQL ServerServer: CharsetsMySQL ProtocolNo4.4NetworkHigh
CVE-2017-3647MySQL ServerServer: ReplicationMySQL ProtocolNo4.4NetworkHigh
CVE-2017-3649MySQL ServerServer: ReplicationMySQL ProtocolNo4.4NetworkHigh
CVE-2017-3651MySQL ServerClient mysqldumpMySQL ProtocolNo4.3NetworkLow
CVE-2017-3652MySQL ServerServer: DDLMySQL ProtocolNo4.2NetworkHigh
CVE-2017-3650MySQL ServerC APIMySQL ProtocolYes3.7NetworkHigh
CVE-2017-3653MySQL ServerServer: DDLMySQL ProtocolNo3.1NetworkHigh