Database Security Digest – August 2016

August was quite eventful for cybersecurity workers. Two massive Black Hat and DefCon conferences  took place in Las-Vegas unveiling to the world latest security threats and zero-day vulnerabilities. Hackers and security gurus discussed upcoming threats, special attention was drawn to mobile application threats, internet protocol security, hacking ways for Internet of Things products, bug bounty programs with quite hefty rewards, social media hack and even flying hacking laptop drones allowing hackers to perform attacks remotely without need to be close to the target. Detailed descriptions of participants’ presentations can be found on Black Hat and DefCon official web-sites.

Serious MySQL Threat

Recently published information about multiple severe MySQL vulnerabilities has kicked up the dust. The most critical of them (CVE-2016-6662) allows hackers to attack MySQL server locally or remotely and gain root privileges. Exploiting this vulnerability requires several conditions: an attacker must have authenticated access or perform another attack on web-applications in order to get the ability of injecting SQL code. This vulnerability appears in MySQL and its derivative products including Percona Server and MariaDB, it represents serious security threat, that’s why vendors insistently recommend to update a DBMS to the latest version. The problem is solved in MySQL 5.7.15, 5.6.33 and 5.5.52, MariaDB 10.0.27, 10.1.17 and Percona Server 5.7.14-7.

Apart from eliminating the critical vulnerability, MySQL 5.7.15 fixes some known bugs and adds several new functions. Dynamic configuration option is included, which can be used to disable deadlock detection. Another new option helps to control LZ4 library selection. The systemd support script for the unit file (mysqld_pre_systemd) has been changed and now it assists in creating the error log file only if its location matches the pattern /var/log/mysql*.log. Updated script avoids creating insecure temporary files. Moreover with regard to security, new MySQL has validate_password plugin that supports the capability of rejecting passwords that coincide with the current session user name. The plugin exposes the validate_password_check_user_name system variable in order to enable control over this capability.

Oracle

As the next Critical Patch Update by Oracle will be released only in October, most of current security vulnerabilities that are going to be eliminated remain to be hidden from view. Here is the one detected and published last month.

CVE-2016-6298

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

As for other database management systems, there were several updates released last month, including MariaDB 10.1.17, PostgreSQL 9.4, Greenplum Database 4.3.9.0.

Security Update Release for PostgreSQL

Release closes two security holes and fixes a number of bugs reported over the last few months. Vulnerabilities are described below:

CVE-2016-5423

Possible misevaluation of nested CASE-WHEN expressions. A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function’s body. If the test values were of different data types, a crash might occur; such situations could be abused to disclose a portion of server memory.

CVE-2016-5424

Database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall. Numerous addresses in vacuumdb and other client programs could be confused with database and role names containing double quotes or backslashes. Quoting rules has been tightened up to make that safe. The handling method of paired double quotes in psql’s \connect and \password commands is fixed to match the documentation. A new -reuse-previous option in psql’s \connect command is introduced to allow explicit control of whether to re-use connection parameters from a previous connection. Without this, the choice is based on whether the database name looks like a conninfo string, as before. This allows secure handling of database names containing special characters in pg_dumpall scripts.

These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges right after a superuser executes pg_dumpall or other routine maintenance operations.

MariaDB 10.1.17

It is a Stable (GA) release, as mentioned above it fixes CVE-2016-6662 vulnerability. Other changes affected Galera cluster, including library update, increase in default value of wseo_max_ws_size from 1GB to 2GB, support of wsrep_max_ws_rows system variable. Several bugs has been fixed; the CONNECT engine now supports the JBDC Table type; XtraDB, TokuDB, InnoDB and Performance Schema are updated.

Greenplum Database 4.3.9.0

The maintenance release includes some changes and enhancements. It has been mainly caused by the following bugs that have been resolved in the new version:
Bug 1238749 – Backport rhashtable changes from upstream
Bug 1316093 – Missing puppet logs in /var/log/remote (Backport of da314c9923fe and 1f770c0a09 into RHEL-7)

Resolved issues are related to query optimization, dispatch languages: R and PL/R, Backup and Restore scripts, resource management, query execution, dispatch and S3 external table.