Database Security Digest – February 2017

The time has come to introduce you to the latest news in the sphere of database security.

Ransom attacks switched to MySQL

Ransomware attacks on misconfigured MongoDB and CouchDB continued. Blackmailers have also started targeting MySQL databases. The attack scheme remains pretty simple: detect a database with default settings, brute-force the ‘root’ password, delete the database content and demand financial support for restoring the data.

This kind of attack can be easily avoided, if you apply the basic security measures:

SQL injection vulnerability in WordPress

A severe remotely exploitable vulnerability has been found in NextGEN Gallery plugin of WordPress. It allows an unauthenticated user to inject an SQL code and retrieve sensitive data from victim’s website database, including hashes of WordPress user passwords. Affected websites are those that use NextGEN Basic TagCloud Gallery or if it is allowed for users to submit posts.

SQL injection is made possible due to invalid validation of query parameters. As a result, the info typed by a user will be added to the SQL query without the correct filtration. The vulnerability has been patched in NextGEN Gallery 2.1.79.

Leaking Cloudflare

Cloudflare provides Internet security and performance services to millions of websites. It turned out the CloudFlare service had a huge bug and it was leaking sensitive data from September 2016 through February 2017.

According to Cloudflare reports, the problem occurred in HTML parser presenting in the following three features: Automatic HTTP Rewrites, Email Obfuscation, Server-Side Excludes. The bug caused buffer overflow on the edge servers, thus they returned memory containing private information such as authentication tokens, HTTP cookies, HTTP POST bodies and some other critical data. All the three features causing memory leakage have been immediately disabled as soon as the company noticed the problem.

Among the victims are Uber, Fitbit, OK Cupid and other web-based services. The impact of the leakage is considered to be minimal. Cloudflare, collaborating with search engine providers, deleted the cached memory containing leaked data from search engines before announcing about the bug. The company also declared that no customer SSL keys have been leaked because an isolated NGINX instance is used to terminate SSL connections.

SHA-1 on the way out

Researchers from Google have performed the first practical collision attack for the cryptographic hash function SHA-1. The attack is based on colliding of two PDF files. They’ve managed to obtain the SHA-1 digital signature on the first PDF file and used it to extract the second PDF file by imitating the signature.

The computations take years and the cost of the attack is estimated up to $120,000, but it is believed to lower in the future. Researchers claim that their method is 100,000 time faster than a brute force attack.

Many organizations have already replaced SHA-1 with SHA-2 and SHA-3 as the algorithm is no longer considered secure against well-funded opponents. Google, Microsoft, Apple, Mozilla have announced that by 2017 their browsers will stop accepting SHA-1 SSL certificates.

Database vulnerabilities and RDBMS releases

Affected versions: Oracle MySQL before 5.6.21 and 5.7.x before 5.7.5 and MariaDB through 5.5.54, 10.0.x through 10.0.29, 10.1.x through 10.1.21, and 10.2.x through 10.2.3
CVSS Severity: 7.5
Allows an unauthenticated attacker without privileges to cause crash in libmysqlclient.so

Percona Server 5.7.17-11 release adds two new features and fixes known bugs. The list of important changings you can see below:

There has also been a release of Percona Server for MongoDB 3.4.

The first release candidate (RC) has been released in the MariaDB 10.2 series. To see what’s new, refer to release notes.

PostgreSQL 9.6.2, 9.5.6, 9.4.11, 9.3.16 and 9.2.20 released. It patches over 75 bugs and fixes some known issues. Below are the most notable ones: