Database Security Digest – October 2017
Bad Rabbit: Another Ransomware Attack
A new wave of ransomware attacks struck Russia and Ukraine, attacks have also been reported in Turkey and Germany. According to the Kaspersky Lab report, Bad Rabbit uses methods similar to those used in the ExPetr attack.
The ransomware doesn’t use any exploits, victims must manually launch the install_flash_player.exe file downloaded from an infected legitimate site. When launched, it downloads a file-encrypting malware which can brute-force NTLM login credentials to Windows machines that have a pseudo-random IP address. Moreover, the malware encrypts victim’s data using the criminal’s public RSA-2048 key.
SQL Injection Vulnerability in SmartVista
Rapid7 disclosed details of an SQL injection vulnerability in SmartVista, which is an e-commerce platform sold in 66 countries and developed by BPC Banking Technologies. The vulnerability impacted only SmartVista Front-End version 2.2.10 and was patched in further releases of the software. Successful exploitation allows an attacker to retrieve sensitive data, including usernames and passwords of the database backend. Detected vulnerabilities are time-based and Boolean-based. Exploitation requires authenticated access to the SmartVista system.
Still Leaking Misconfigured Amazon S3 Buckets
In previous digests, we’ve already mentioned Amazon S3 buckets left with default settings, and this month there is another example of irresponsible attitude toward sensitive data storage. Accenture PLC, a global management consulting company, has exposed their internal private keys, secret API data, and some other information. Servers were left absolutely unsecured, attackers only needed to know the URL address.
3 billion Yahoo Accounts Breached
This month, Yahoo (now part of Oath) has disclosed the details of the ongoing investigation of the biggest data breach in history which happened back in 2013. According to the latest notice, approximately 3 billion accounts have been compromised. The investigation authorities indicate that stolen files don’t include payment card data, bank account information, and passwords in cleartext. The company continues to notify additional affected users.
Dangerous Expanding of a New DDoS Bot
IBTimes reported about the IoT Reaper, a newly discovered botnet that uses unpatched vulnerabilities to enslave web-connected cameras and routers. The code is borrowed from the Mirai botnet, and according to the researchers, it can take down the Internet.
Vulnerability in MySQL DerivativesCVE-2017-15945
Installations scripts of MySQL derivatives (dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera) contain a vulnerability that allows to leverage access to the mysql account for creation of a link.
The installation scripts in the Gentoo packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.
Oracle Critical Patch
Oracle has released a new Critical Patch Update fixing 252 security vulnerabilities.
It contains 25 security fixes for Oracle MySQL, 6 of which are remotely exploitable without authentication, and 6 fixes for Oracle Database, 2 of which are remotely exploitable without authentication.Oracle MySQL Risk Matrix
|CVE||Component||Remote Exploit without Auth||CVSS Severity Score||Attack Vector||Attack Complex|
|CVE-2017-5664||Monitoring: General (Apache Tomcat)||Yes||7.5||Network||Low|
|CVE-2017-10155||Server: Pluggable Auth||Yes||7.5||Network||Low|
|CVE-2017-3731||Server: Security: Encryption (OpenSSL)||Yes||7.5||Network||Low|
|CVE-2017-10283||Server: Performance Schema||No||5.3||Network||High|
|CVE-2017-10313||Group Replication GCS||No||4.9||Network||Low|
|CVE-2017-10284||Server: Stored Procedure||No||4.9||Network||Low|
|CVE#||Component||Package and/or Privilege Required||Protocol||Remote Exploit without Auth.?||Base Score||Attack Vector||Attack Complex|
|CVE-2017-10321||Core RDBMS||Create session||Oracle Net||No||8.8||Local||Low|
|CVE-2016-6814||Spatial (Apache Groovy)||None||Multiple||Yes||8.3||Network||High|
|CVE-2017-10190||Java VM||Create Session, Create Procedure||Multiple||No||8.2||Local||Low|
|CVE-2016-8735||WLM (Apache Tomcat)||None||Multiple||Yes||8.1||Network||High|
|CVE-2017-10261||XML Database||Create Session||Oracle Net||No||6.5||Local||Low|
|CVE-2017-10292||RDBMS Security||Create User||Oracle Net||No||2.3||Local||Low|
MySQL 5.7.20 ReleaseThe release contains multiple bug fixes in the InnoDB and Replication engines, minor changes in functionality and the following security enhancements:
- Certificates automatically generated by mysqld and mysql_ssl_rsa_setup now use X509 v3 instead of v1.
- The keyring_okv plugin now supports password-protecting the key file used for secure connections.
Refer to release notes for further details.
Pivotal Greenplum 5.1.0
The release includes product enhancements, introduces new features, and resolves some known issues. Refer to release notes for a detailed description.