Database Security Digest – September 2016

Hacking Activity

September will be remembered with series of hacks and the largest DDoS attack in the history with the traffic of 620GBps. As specialists of Akamai Technologies claim, they have never seen a botnet of such capability before. It seems like DDoS attackers are not sitting on their hands, they are taking it to the next level.

Last month Fancy Bear crew hacked World Anti-Doping Agency (WADA) again. The previous attack had been made by exploiting SQL-injection, but this one – by account hijacking. Stolen and published sensitive data contains medical information on athletes, which has already led to series of scandals due to concealment of truthful data by the agency.

Among other remarkable events are massive data leaks: Rambler (100 million accounts), Last.fm (43 millions), QIP.ru (33 millions). And Yahoo holds the record – 500 million accounts!

Yahoo was breached by professional team of hackers, who used social engineering to choose targets among company employees and send them emails or chat messages containing malware. Then they did some phishing to acquire passwords of other company members. Following that, hackers gained access to sensitive information. The whole operation took more than 2 years.

Stolen data contains Yahoo mail account names, email addresses, birth dates, phone numbers and scrambled passwords along with encrypted and unencrypted security questions and answers that can help to break into victims’ other accounts. Yahoo recommends affected users to change their passwords as a precaution, because accounts are offered for sale online.

Database Security

Two new exploits appeared at www.exploit-db.com for MySQL and its derivatives. The first one is for local credentials disclosure for MySQL 5.5.45 on Windows (x64). The second is the exploit of infamous CVE-2016-6662 on MySQL/MarinaDB/PerconaDB. It can be used for code execution and privilege escalation.

As usually, the massive flow of published vulnerabilities comes only with Oracle’s Critical Patch Update coming up at the latter half of October. There were two CVE’s for Oracle MySQL this month.

CVE-2016-5444

Affected versions: Oracle MySQL 5.5.48, 5.6.29, 5.7.11 and earlier; MariaDB before 10.0.25, 10.1.14

Summary: Unspecified vulnerability that allows remote attackers to affect confidentiality via vectors related to Server: Connection.

CVSS Severity: 3.7 – LOW

CVE-2016-6662

Affected versions: Oracle MySQL 5.5.52, 5.6.33, 5.7.15 and earlier; MariaDB before 5.5.51, 10.0.27 and 10.1.17; Percona Server before 5.5.51-38.1, 5.6.32-78.0, 5.7.14-7

Summary: Allows local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. This can be leveraged to execute arbitrary code with root privileges by setting malloc_lib.

CVSS Severity:  8.8 – HIGH

MySQL

In the digest of previous month we mentioned CVE-2016-6662. The issue was resolved in MySQL 5.7.15. Update your DBMS, if you still use the affected version, as the exploit for this vulnerability is already available.

MariaDB

MariaDB 10.1.18 was released last month. It fixes a number of known bugs and crashes. Since 10.1.17 CVE-2016-6662 is also fixed.

Moreover, beta version of MariaDB 10.2.2 was released. It contains new window functions (LEAD, LAG, NTH_VALUE, FIRST_VALUE, LAST_VALUE), bugfixes and other improvements to the prior version.

Greenplum Database 4.3.9.1

Maintenance release resolves some known issues and includes enhancements of performance and stability, gpdbstore utility, gpcheckcat utility, gpload utility, external table s3 protocol, MADlib extension enhancements.

PostgreSQL

PostgreSQL 9.6 has been released. Substantial performance improvements have been made, especially in the area of scalability on multi-CPU-socket servers. Other changes include:

  • Avoiding unnecessary page scanning during vacuum freeze operations
  • Parallel execution of sequential scans, joins and aggregates
  • Replication now supports multiple simultaneous synchronous standby servers
  • postgres_fdwnow supports remote joins, sorts, UPDATE’s, and DELETE’s
  • Full-text search can now search for phrases (multiple adjacent words)

As for the security, in the new version joins of foreign tables are performed remotely only when the tables are accessed under the same role ID. Previously the question of security during this process was up to individual foreign data wrappers (FDW). That made it easy for FDW to inadvertently create security holes.

Old versions contained hard-wired checks that would throw an error message, if they were called by a non-superuser. This led to use of superuser roles for relatively low-level tasks. Error checks are now replaced by more convenient initdb revoke of EXECUTE privilege on these functions. That allows installations to choose to grant usage of functions to trusted roles that do not need all superuser privileges.

Also, there is a new opportunity to create built-in roles (pg_signal_backend). They can be used to access what was previously superuser-only function.

DataSunrise supports all major databases and data warehouses such as Oracle, Exadata, IBM DB2, IBM Netezza, MySQL, MariaDB, Greenplum, Amazon Aurora, Amazon Redshift, Microsoft SQL Server, Azure SQL, Teradata and more. You are welcome to download a free trial if would like to install on your premises. In case you are a cloud user and run your database on Amazon AWS or Microsoft Azure you can get it from AWS market place or Azure market place.