Database Security Digest – May 2017

DataSunrise Blog

Well, this month has been extremely busy for hackers and those who fought against them. Here is the quick digest of database security news of May 2017.

Shadow Brokers, WannaCry, the NSA and Global Cybercatastrophes

Let’s start with the Shadow Brokers hacker team and their mentioned in the previous digest publication of exploits for Windows OS and other systems allegedly obtained from the National Security Agency’s data leak. It happened to have tremendous consequences all over the globe as some of the published exploits have been used in creation of infamous WannaCry, that evil cryptoworm which infected more than 400,000 machines.

WannaCry targets computers on Microsoft Windows (98% of victims used Windows 7). It uses the EternalBlue exploit leaked from the NSA to enter a computer by taking advantage of a vulnerability in the Server Message Block (SMB) protocol. Then it installs the DoublePulsar software which downloads and runs the WannaCry script for encrypting all data on your machine. Eventually, after demanding a payment of about $300 in bitcoin, it makes you wanna cry, as there is no guarantee that data will be decrypted after paying the bill.

According to the analysis of ransom notes, the Linguist experts have concluded that criminals are fluent in Chinese. Bitcoin transactions keep its users anonymous but they are also traceable, every transaction is written on a public ledger called the blockchain. Three wallets are used to receive ransom payments, as of 25 May $126,742 has been transferred. However, criminals will be having a hard time trying to use them as information security professionals are watching these three wallets 24/7.

And back to Shadow Brokers who made that horrible mess happen. They have announced a monthly subscription service for new exploits obtained from the NSA. The subscription will cost approximately $23,000. The first dump is expected in the first half of July and who knows what else is there. So, should we worry about upcoming cyber disasters? Yes, we should.

Samba Threat

Another threat to peaceful storing of your data. More than 100,000 computers are currently susceptible to the remote code execution vulnerability (CVE-2017-7494) in Samba, a popular networking standard which is used for interoperability between Unix, Linux and Microsoft Windows systems. The critical vulnerability has existed since March 2010. It allows a malicious user to upload a shared library to a writable share and cause the server to execute it. It can be used like WannaCry to launch a worm that would spread through the networks hitting Linux and Unix systems. It is very easy to exploit, requires only one-line script to be exploited.

Luckily, organizations can mitigate the risks. To be on a safe side, organizations should configure their firewall to restrict SMB/Samba network traffic directly from the internet to their assets.

Other Data Breaches

Some anonymous fella published a giant database with more than 560 million emails and passwords collected from various sources, including Linkedin, Last.fm, MySpace, Dropbox, Tumblr, Adobe, Neopets, and others. The data was leaked a while ago, the man only collected 75 gigabytes of freely floating sensitive data together.

The dating site PureMatrimony.com has alerted its users of a possible data breach. 120,000 hashed passwords have been found online. The leaked passwords have been encrypted with MD5 algorithm, which is a very not wise choice of data encryption solution. It has been considered weak and unsuitable for further use a decade ago. That means hackers can easily obtain the real user passwords. PureMatrimony has shifted responsibility for the leak to a third-party service provider.

DaFont, font repository and download site, has been breached. 699K account records including passwords hashed with MD5 have been leaked. 98% of passwords are already cracked. The breach occurred due to an SQL injection vulnerability exploited by multiple parties.

The largest Indian online restaurant guide Zomato has confirmed that it has been breached. Nearly 17 million usernames and hashed passwords have been stolen. As the company claims, the passwords are hard to decrypt, and credit card and payment information are stored in a separate PCI DSS compliant database. Zomato team is actively scanning all possible breach vectors and suspects an insider’s job.

On 31st of May Kmart announced that it has discovered a security breach of its store payment card systems, compromising credit card numbers of customers. Their payment data systems were infected with a malicious code processor invisible for current anti-virus systems. There have already been reports about unauthorized credit card activity.

Canadian telecommunications firm Bell has been hacked. Its customer subscriber database including almost 2 million email addresses, 1,700 telephone numbers and names has been compromised.

Fresh Database Security Vulnerabilities and RDBMS Updates

PostgreSQL

CVE-2015-6817
CVSS Severity Score: 8.1
When PgBouncer is configured with the auth_user parameter, it allows a remote attacker to gain access as the auth_user via an unknown username.

CVE-2017-7486
CVSS Severity Score: 7.5
PostgreSQL versions 8.4-9.6 are vulnerable to data leak in the pg_user_mappings view that discloses foreign server passwords to any user having USAGE privilege on assosiated servers.

CVE-2017-7485
CVSS Severity Score: 5.9
The PGREQUIRESSL environment variable is no longer enforcing SSL/TLS connections to PostgreSQL servers. That could be used in a Man-In-The-Middle attack to strip the SSL/TLS protection from connection between a server and a client.

CVE-2017-7484
CVSS Severity Score: 7.5
It turned out, there was no user privilege checking for accessing the pg_statistic catalog, which could cause a data leak. An unprivileged user could steal some information from the tables he is not allowed to access.

Teradata

CVE-2015-5401
CVSS Severity Score: 7.5
Teradata Gateway and TDExpress allow a remote attacker to cause denial of service via corrupted CONFIG REQUEST message.

Apache Hive

CVE-2016-3083
A vulnerability in SSL handshake for TCP/HTTP connections which occurs when validating the server’s certificate. A JDBC client sends an SSL request to the xyz.com server, and the server responds with a valid certificate issued to abc.com, the client accepts that as a valid certificate and the SSL handshake will go through.

SAP HANA

CVE-2017-8915
If Sinopia (private/caching npm server) is used in SAP HANA, it allows remote attackers to cause denial of service (service crash and assertion failure) by sending a package with a file name containing a $ or % signs.

CVE-2017-8914
Another flaw in integration with Sinopia. It allows remote attackers to hijack npm packages or host arbitrary files by exploiting an insecure user creation policy.

RDBMS Updates

MariaDB 10.2.6

  • MyRocks alpha storage engine added;
  • Recursive Common Table Expressions;
  • AWS Key Management plugin added for Windows, CentOS, RHEL, and Fedora packages;
  • Packages for Ubuntu 17.04 Zesty added;
  • The –add-drop-trigger option has been added to mysqldump;
  • Numerous Encryption fixes;
  • Disabled defragmentation;
  • Added support for OpenSSL 1.1 and LibreSSL;
  • innodb_deadlock_detect and innodb_stats_include_delete_marked variables introduced;

Percona Server 5.7.18-15

The new release of Percona fixes two server crashes. One occurrs when querying a partitioning table with a single partition. Another crash occurring when running a query on an InnoDB table with ngram_full-text_parser and a LIMIT clause.

PostgreSQL 9.6.3

  • Visibility of pg_user_mappings.umoptions is restricted to protect passwords stored as mapping options addressing CVE-2017-7486. Note that the patch fixes the issue only in new databases. To apply the change to existing databases you need to perform several steps defined in Release Notes.
  • Fixed the mPrevent exposure of statistical information via leaky operators addressing CVE-2017-7484.
  • Restored the libpq’s recognition of the PGREQUIRESSL environment variable addressing CVE-2017-7485.

Greenplum Database 4.3.14.0

New Greenplum Database has more deprecated features that new ones.

  • Added support for NetBackup 7.7 and restore operations with the gpdbcrondump and gpdbrestore utilities.
  • Greenplum Database support for Federal Information Processing Standard (FIPS) in the pgcrypto extension is deprecated.
  • The UDP interconnect type has been removed. Only the interconnect types TCP and UDPIFC are supported.