Database Security Digest – July 2017
While the world awaits for the new exploits of CIA leak from The Shadow Brokers, cybercrooks are keeping busy. Attackers hack banks, adopt simple and fast SQL injection scanners, and start hunting for cryptocurrency managing to steal a truckload of Etherium right during the ICO. Meanwhile, tonnes of personal data is leaked and a bunch of security vulnerabilities is patched by Oracle and SAP. We present you a quick digest of the latest database security events.
Hijacking and stealing
Unknown party hacked CoinDash, a crypto assets managing platform. Criminals inserted the fraudulent Etherium address and gained $7.7 million in cryptocurrency. The attack occurred during 15 minutes of prior to the public ICO procedures. CoinDash keeps its head up and investigates the incident stating that investors will be credited anyway.
The Shadow Brokers, famous for leaking vulnerabilities that were further used in WannaCry and NotPetya, must have dumped a new set of exploits for those who’ve subscribed for $21,0000 a month. Moreover, they’ve promised to publish more leaks including data on nuclear missiles. Sounds fun.
There is also a new WikiLeaks publication about three allegedly pertaining to CIA hacking tools (Achilles, Aeris and SeaPea). The tools are targeted to trojanize macOS DMG installers, implant malware for POSIX systems, and persist infections on Mac OS X systems between system reboots.
Talented SQL Injection Scanner
Searching for SQL injection vulnerabilities becomes faster and easier with the help of a SQL injection scanner called Katyusha Scanner managed via Telegram messenger or web interface. It is based on an open-source penetration testing tool Arachni Scanner. The speed of the scan is significant. The tool also enables scanning a list of websites instead of examining them one by one. Once the vulnerable site is detected, Katyusha can automatically exploit the flaw, deliver a web shell or dump the databases. According to ads, the tool can also be used to scan and export email/password credentials and login brute-force attacks. Supports error-based detection, blind SQL injection using timing attacks and differential analysis techniques for a wide range of RDBMSs.
The tool has become quite popular, now the Pro and Lite versions of the service cost $500 and $250, or $200 for monthly license.
Miscofigured AWS storage
Misconfigured Amazon Web Services storage servers are leaking data. Verizon has exposed phone numbers, names and some PIN codes of 6 million customers. Earlier this month, a pro wrestling company WWE notified that personal data of 3 million accounts have been exposed online. In both cases, the data was stored on AWS Simple Storage Service (S3) buckets. Leakage occurred due to misconfiguration of access privilege on buckets. Privilege settings can be changed here.
Breaching a Bank
Italy’s largest bank UniCredit has been hacked and exposed personal data and International Bank Account Numbers (IBAN) of 400,000 loan applicants. The breach was detected only now but the initial compromise was ten months ago.
SAP Security Patch
SAP has released a patch fixing security flaws in almost a dozen of products, including a denial of service vulnerability in SAP Host Agent designed to monitor SAP instances, databases, and operating systems. The flaw affects HANA 1, HANA 2 and allows an attacker to remotely restart the agent without authorization via malicious SOAP request.
Another critical flaw has been found in SAP’s client/server point-of-sale (PoS) solution. It allows an attacker to access a service without authorization due to a series missing authorization checks.
CVSS 3 Severity Score: 8.1
An elevation of privilege vulnerability on various Windows OS versions occurring due to Kerberos falling back to NTLM Authentication Protocol as the default authentication protocol. Exploiting doesn’t require authentication and can be performed remotely.
CVSS 3 Severity Score: 7.5
A vulnerability in Kerberos authentication protocol on various Windows OS versions that allows an attacker to bypass Extended Protection for Authentication feature when Kerberos fails to prevent tampering with the SNAME field during ticket exchange.
Oracle Critical Patch Update
Oracle Critical Patch Update contains 308 security fixes including 5 for Oracle Database Server and 30 for Oracle MySQL.
Oracle Database Server Vulnerabilities
|CVE||Component||Package and/or Privilege Required||Protocol||Remote Exploit without Auth.||CVSS 3 Score||Attack Vector||Attack Complexity|
|CVE-2017-10202||OJVM||Create Session, Create Procedure||Multiple||No||9.9||Network||Low|
|CVE-2016-2183||Real Application Clusters||None||SSL/TLS||Yes||6.8||Network||High|
|CVE-2017-10120||RDBMS Security||Create Session, Select Any Dictionary||Oracle Net||No||1.9||Local||High|
|CVE-2016-3092||Oracle REST Data Services||None||Multiple||Yes||7.5||Network||Low|
Oracle MySQL Vulnerabilities
|CVE||Component||Package and/or Privilege Required||Protocol||Remote Exploit without Auth.?||CVSS 3 Score||Attack Vector||Attack Complexity|
|CVE-2016-4436||MySQL Enterprise Monitor||Monitor: General (Apache Struts 2)||HTTP over TLS||Yes||9.8||Network||Low|
|CVE-2017-5651||MySQL Enterprise Monitor||Monitoring: Server (Apache Tomcat)||HTTP over TLS||Yes||9.8||Network||Low|
|CVE-2017-5647||MySQL Enterprise Monitor||Monitoring: Server (Apache Tomcat)||HTTP over TLS||Yes||7.5||Network||Low|
|CVE-2017-3633||MySQL Server||Server: Memcached||Memcached||Yes||6.5||Network||High|
|CVE-2017-3634||MySQL Server||Server: DML||MySQL Protocol||No||6.5||Network||Low|
|CVE-2017-3732||MySQL Connectors||Connector/C (OpenSSL)||MySQL Protocol||Yes||5.9||Network||High|
|CVE-2017-3732||MySQL Connectors||Connector/ODBC (OpenSSL)||MySQL Protocol||Yes||5.9||Network||High|
|CVE-2017-3732||MySQL Server||Server: Security: Encryption (OpenSSL)||MySQL Protocol||Yes||5.9||Network||High|
|CVE-2017-3635||MySQL Connectors||Connector/C||MySQL Protocol||No||5.3||Network||High|
|CVE-2017-3635||MySQL Server||C API||MySQL Protocol||No||5.3||Network||High|
|CVE-2017-3636||MySQL Server||Client programs||MySQL Protocol||No||5.3||Local||Low|
|CVE-2017-3529||MySQL Server||Server: UDF||MySQL Protocol||No||5.3||Network||High|
|CVE-2017-3637||MySQL Server||X Plugin||X Protocol||No||5.3||Network||High|
|CVE-2017-3639||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3640||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3641||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3643||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3644||MySQL Server||Server: DML||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3638||MySQL Server||Server: Optimizer||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3642||MySQL Server||Server: Optimizer||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3645||MySQL Server||Server: Optimizer||MySQL Protocol||No||4.9||Network||Low|
|CVE-2017-3646||MySQL Server||X Plugin||X Protocol||No||4.9||Network||Low|
|CVE-2014-1912||MySQL Cluster||CLSTCONF (Python)||MySQL Protocol||Yes||4.8||Network||High|
|CVE-2017-3648||MySQL Server||Server: Charsets||MySQL Protocol||No||4.4||Network||High|
|CVE-2017-3647||MySQL Server||Server: Replication||MySQL Protocol||No||4.4||Network||High|
|CVE-2017-3649||MySQL Server||Server: Replication||MySQL Protocol||No||4.4||Network||High|
|CVE-2017-3651||MySQL Server||Client mysqldump||MySQL Protocol||No||4.3||Network||Low|
|CVE-2017-3652||MySQL Server||Server: DDL||MySQL Protocol||No||4.2||Network||High|
|CVE-2017-3650||MySQL Server||C API||MySQL Protocol||Yes||3.7||Network||High|
|CVE-2017-3653||MySQL Server||Server: DDL||MySQL Protocol||No||3.1||Network||High|