Database Security Digest – October 2017

Database Security Digest – October 2017
We present you the quick digest of database security news of October.

Bad Rabbit: Another Ransomware Attack

A new wave of ransomware attacks struck Russia and Ukraine, attacks have also been reported in Turkey and Germany. According to the Kaspersky Lab report, Bad Rabbit uses methods similar to those used in the ExPetr attack.

The ransomware doesn’t use any exploits, victims must manually launch the install_flash_player.exe file downloaded from an infected legitimate site. When launched, it downloads a file-encrypting malware which can brute-force NTLM login credentials to Windows machines that have a pseudo-random IP address. Moreover, the malware encrypts victim’s data using the criminal’s public RSA-2048 key.

SQL Injection Vulnerability in SmartVista

Rapid7 disclosed details of an SQL injection vulnerability in SmartVista, which is an e-commerce platform sold in 66 countries and developed by BPC Banking Technologies. The vulnerability impacted only SmartVista Front-End version 2.2.10 and was patched in further releases of the software. Successful exploitation allows an attacker to retrieve sensitive data, including usernames and passwords of the database backend. Detected vulnerabilities are time-based and Boolean-based. Exploitation requires authenticated access to the SmartVista system.

Still Leaking Misconfigured Amazon S3 Buckets

In previous digests, we’ve already mentioned Amazon S3 buckets left with default settings, and this month there is another example of irresponsible attitude toward sensitive data storage. Accenture PLC, a global management consulting company, has exposed their internal private keys, secret API data, and some other information. Servers were left absolutely unsecured, attackers only needed to know the URL address.

3 billion Yahoo Accounts Breached

This month, Yahoo (now part of Oath) has disclosed the details of the ongoing investigation of the biggest data breach in history which happened back in 2013. According to the latest notice, approximately 3 billion accounts have been compromised. The investigation authorities indicate that stolen files don’t include payment card data, bank account information, and passwords in cleartext. The company continues to notify additional affected users.

Dangerous Expanding of a New DDoS Bot

IBTimes reported about the IoT Reaper, a newly discovered botnet that uses unpatched vulnerabilities to enslave web-connected cameras and routers. The code is borrowed from the Mirai botnet, and according to the researchers, it can take down the Internet.

Vulnerability in MySQL Derivatives


Installations scripts of MySQL derivatives (dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera) contain a vulnerability that allows to leverage access to the mysql account for creation of a link.

The installation scripts in the Gentoo packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.

Oracle Critical Patch

Oracle has released a new Critical Patch Update fixing 252 security vulnerabilities.

It contains 25 security fixes for Oracle MySQL, 6 of which are remotely exploitable without authentication, and 6 fixes for Oracle Database, 2 of which are remotely exploitable without authentication.

Oracle MySQL Risk Matrix
CVEComponentRemote Exploit without AuthCVSS Severity ScoreAttack VectorAttack Complex
CVE-2017-10424Monitoring: WebYes8.8NetworkLow
CVE-2017-5664Monitoring: General (Apache Tomcat)Yes7.5NetworkLow
CVE-2017-10155Server: Pluggable AuthYes7.5NetworkLow
CVE-2017-3731Server: Security: Encryption (OpenSSL)Yes7.5NetworkLow
CVE-2017-10379Client programsNo6.5NetworkLow
CVE-2017-10384Server: DDLNo6.5NetworkLow
CVE-2017-10276Server: FTSNo6.5NetworkLow
CVE-2017-10167Server: OptimizerNo6.5NetworkLow
CVE-2017-10378Server: OptimizerNo6.5NetworkLow
CVE-2017-10283Server: Performance SchemaNo5.3NetworkHigh
CVE-2017-10313Group Replication GCSNo4.9NetworkLow
CVE-2017-10296Server: DMLNo4.9NetworkLow
CVE-2017-10311Server: FTSNo4.9NetworkLow
CVE-2017-10320Server: InnoDBNo4.9NetworkLow
CVE-2017-10314Server: MemcachedNo4.9NetworkLow
CVE-2017-10227Server: OptimizerNo4.9NetworkLow
CVE-2017-10279Server: OptimizerNo4.9NetworkLow
CVE-2017-10294Server: OptimizerNo4.9NetworkLow
CVE-2017-10165Server: ReplicationNo4.9NetworkLow
CVE-2017-10284Server: Stored ProcedureNo4.9NetworkLow
CVE-2017-10286Server: InnoDBNo4.4NetworkHigh
CVE-2017-10268Server: ReplicationNo4.1LocalHigh
CVE-2017-10365Server: InnoDBNo3.8NetworkLow
  Oracle Database Risk Matrix
CVE#ComponentPackage and/or Privilege RequiredProtocolRemote Exploit without Auth.?Base ScoreAttack VectorAttack Complex
CVE-2017-10321Core RDBMSCreate sessionOracle NetNo8.8LocalLow
CVE-2016-6814Spatial (Apache Groovy)NoneMultipleYes8.3NetworkHigh
CVE-2017-10190Java VMCreate Session, Create ProcedureMultipleNo8.2LocalLow
CVE-2016-8735WLM (Apache Tomcat)NoneMultipleYes8.1NetworkHigh
CVE-2017-10261XML DatabaseCreate SessionOracle NetNo6.5LocalLow
CVE-2017-10292RDBMS SecurityCreate UserOracle NetNo2.3LocalLow

MySQL 5.7.20 Release

The release contains multiple bug fixes in the InnoDB and Replication engines, minor changes in functionality and the following security enhancements:
  • Certificates automatically generated by mysqld and mysql_ssl_rsa_setup now use X509 v3 instead of v1.
  • The keyring_okv plugin now supports password-protecting the key file used for secure connections.

Refer to release notes for further details.

Pivotal Greenplum 5.1.0

The release includes product enhancements, introduces new features, and resolves some known issues. Refer to release notes for a detailed description.