Database Security Digest – September 2017

Database Security Digest – September 2017

We present you a summary of latest database security incidents and updates.

Equifax breach

An unknown party hacked Equifax, a large consumer credit reporting agency that handles extremely sensitive information. Personal data of 143 million US consumers has been compromised including names, social security numbers, birth dates, addresses and in some cases driver license numbers, at least 209,000 credit card credentials, additional PII of 182,000. Some data of UK and Canada customers are also under affect.

Equifax has reported that the attack was performed via exploitation of a remote code execution vulnerability in open-source server software Apache Struts (CVE-2017-5638). An attacker sends an HTTP request that contains a serialized object or an OGNL expression, thus getting the ability to execute an arbitrary code. The vulnerability was disclosed in March. It is a critical vulnerability and Equifax definitely should have patched it.

Apart from letting a massive attack happen, Equifax, for no reason, has failed to declare about the breach in 72 hours, as demanded by Europe’s General Data Privacy Regulation. The company has reported only after 40 days since they found about the incident.

Misconfigured AWS databases are still leaking

A global communication service provider BroadSoft has left 600 GB of data exposed on two access-free cloud repositories. Files included SQL database dumps, access logs, customer bill addresses.

TigerSwan, a private military contractor from US, has compromised thousands of resumes containing personal information of American military veterans.

American telecommunications conglomerate Verizone has leaked confidential corporate files including decryption keys, usernames and passwords to access Verizon’s internal network.

In all cases, the data was stored on AWS Simple Storage Service (S3) buckets. Leakage occurred due to enabling public access to databases. The trend continues. If you have data on Amazon buckets, you better double-check.

MS SQL Server 2017 Released

A new version of SQL Server contains bug fixes and from now on, it is compatible with Linux and macOS (via Docker). Some of the features (replication, Reporting Services, Analysing Services, Machine Learning Services) are not yet supported for Linux Other changes include:

  • Improvements in computing incremental statistics update thresholds.
  • Graph query support
  • Adaptive Query Processing and Automatic Tuning for better query optimization.
  • Python support in Machine Learning Services

For the full list of changes refer to Release Notes.

CVE-2017-1520
CVSS severity score: 3.7
Description: A vulnerability in IBM DB2 9.7, 10,1, 10.5, and 11.1 that allows to execute unauthorized command activating the database when authentication type is CLIENT. Remotely exploitable withot authentication.

CVE-2017-1519
CVSS severity score: 5.9
Description:Denial of service vulnerability in IBM DB2 10.5 and 11.1. A remote user without authentication can disrupt service for DB2 Connect Server setup with particular configuration.

CVE-2017-1452
CVSS severity score: 7.8
Description: A vulnerability in IBM DB2 9.7, 10.1, 10.5, 11.1 that allows a local user to elevate privileges and overwrite DB2 files. Locally exploitable without authentication.

CVE-2017-1451
CVSS severity score: 7.8
Description: A vulnerability in IBM DB2 9.7, 10.1, 10.5, 11.1 that allows a local user with DB2 instance owner privileges to obtain root privileges.

CVE-2017-1439
CVSS severity score: 6.7
Description: A vulnerability in IBM DB2 9.7, 10.1, 10.5, 11.1 that allows a local user with DB2 instance owner privileges to obtain root privileges. Locally exploitable without authentication.

CVE-2017-1438
CVSS severity score: 6.7
Description: A vulnerability in IBM DB2 9.7, 10.1, 10.5, 11.1 that allows a local user with DB2 instance owner privileges to obtain root privileges.

CVE-2017-1434
CVSS severity score: 4.7
Description: A vulnerability in IBM DB2 9.7, 10.1, 10.5, 11.1 with certain settings that allows a local unauthorized user to expose sensitive information in the error log.