Database Security Digest – February 2018

We present you the quick digest of database security news of February.

Equifax breach worse than thought, now 147.9 million affected consumers

The credit reporting company has discovered the additional 2.4 million consumers who had their personal data stolen in the infamous 2017 breach.

The company management is saying that they’re still doing everything possible to identify, inform and protect their affected consumers.

The data breach dealt a terrible blow to the company image and reputation. Senator Elizabeth Warren referred to the company as being untrustworthy saying that the company’s response to the data breach and subsequent actions were inadequate.

“Have I been Pwned” website has updated information on stolen data

2.844 breach incidents have been added on the website totaling 80 million stolen records. The new data comes from a newly discovered online hacker’s forum. Most of the discovered databases contain email addressed and passwords. The date of databases ranges 2011 – 2018 which means that personal information and data are stolen from people every day.

Database Vulnerabilities

• DB2

CVE-2014-3219 https://nvd.nist.gov/vuln/detail/CVE-2014-3219

CVSS Severity Score: 5.9 Description: fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2) /tmp/.pac-cache.$USER, (3) /tmp/.yum-cache.$USER, or (4) /tmp/.rpm-cache.$USER.

• Hive

CVE-2014-3005 https://nvd.nist.gov/vuln/detail/CVE-2014-3005

CVSS Severity Score: 9.8 Description: XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.

CVE-2014-3244 https://nvd.nist.gov/vuln/detail/CVE-2014-3244

CVSS Severity Score: 9.8 Description: XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.

CVE-2014-3752 https://nvd.nist.gov/vuln/detail/CVE-2014-3752

CVSS Severity Score: 6.7 Description: The MiniIcpt.sys driver in G Data TotalProtection 2014 24.0.2.1 and earlier allows local users with administrator rights to execute arbitrary code with SYSTEM privileges via a crafted 0x83170180 call.

CVE-2017-17108 https://nvd.nist.gov/vuln/detail/CVE-2017-17108

Description: Path traversal vulnerability in the administrative panel in KonaKart eCommerce Platform version 8.7 and earlier could allow an attacker to download system files, as well as upload specially crafted JSP files and in turn gain access to the server.

CVE-2017-18123 https://nvd.nist.gov/vuln/detail/CVE-2017-18123

Description: The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs.

CVE-2016-6813 https://nvd.nist.gov/vuln/detail/CVE-2016-6813

Description: Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another (non-“root”) CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn accessing their account and resources.

CVE-2017-17663 https://nvd.nist.gov/vuln/detail/CVE-2017-17663

Description: The htpasswd implementation of mini_httpd before v1.28 and of thttpd before v2.28 is affected by a buffer overflow that can be exploited remotely to perform code execution.

CVE-2018-1000029 https://nvd.nist.gov/vuln/detail/CVE-2018-1000029

Description: mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/).

CVE-2018-1000035 https://nvd.nist.gov/vuln/detail/CVE-2018-1000035

CVSS Severity Score: 7.8 Description: A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.

CVE-2018-6892 https://nvd.nist.gov/vuln/detail/CVE-2018-6892

Description: An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the “CloudMe Sync” client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program’s execution flow and allowing arbitrary code execution.

CVE-2016-5397 https://nvd.nist.gov/vuln/detail/CVE-2016-5397

Description: The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.

CVE-2016-8742 https://nvd.nist.gov/vuln/detail/CVE-2016-8742

Description: The Windows installer that the Apache CouchDB team provides was vulnerable to local privilege escalation. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service launcher, or CouchDB batch or binary files. A subsequent service or server restart will then run that binary with administrator privilege. This issue affected CouchDB 2.0.0 (Windows platform only) and was addressed in CouchDB 2.0.0.1.

CVE-2018-1297 https://nvd.nist.gov/vuln/detail/CVE-2018-1297

Description: When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

CVE-2018-6910 https://nvd.nist.gov/vuln/detail/CVE-2018-6910

Description: DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.

CVE-2018-1287 https://nvd.nist.gov/vuln/detail/CVE-2018-1287

Description: In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

CVE-2018-7034 https://nvd.nist.gov/vuln/detail/CVE-2018-7034

Description: TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 devices allow authentication bypass via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php.

CVE-2011-4973 https://nvd.nist.gov/vuln/detail/CVE-2011-4973

Description: Authentication bypass vulnerability in mod_nss 1.0.8 allows remote attackers to assume the identity of a valid user by using their certificate and entering ‘password’ as the password.

CVE-2018-5975 https://nvd.nist.gov/vuln/detail/CVE-2018-5975

Description: SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI.

CVE-2018-7216 https://nvd.nist.gov/vuln/detail/CVE-2018-7216

Description: Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens.

CVE-2018-7219 https://nvd.nist.gov/vuln/detail/CVE-2018-7219

Description: application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request.

CVE-2009-4267 https://nvd.nist.gov/vuln/detail/CVE-2009-4267

Description: The console in Apache jUDDI 3.0.0 does not properly escape line feeds, which allows remote authenticated users to spoof log entries via the numRows parameter.

CVE-2018-6940 https://nvd.nist.gov/vuln/detail/CVE-2018-6940

Description: A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF.

CVE-2018-7046 https://nvd.nist.gov/vuln/detail/CVE-2018-7046

Description: ** DISPUTED ** Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a “Pages -> Edit -> Template -> Edit template properties -> Layout” box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.

CVE-2018-7205 https://nvd.nist.gov/vuln/detail/CVE-2018-7205

Description: ** DISPUTED ** Reflected Cross-Site Scripting vulnerability in “Design” on “Edit device layout” in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the “Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design” screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.

CVE-2013-0267 https://nvd.nist.gov/vuln/detail/CVE-2013-0267

Description: The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation.

CVE-2018-7261 https://nvd.nist.gov/vuln/detail/CVE-2018-7261

Description: There are multiple Persistent XSS vulnerabilities in Radiant CMS 1.1.4. They affect Personal Preferences (Name and Username) and Configuration (Site Title, Dev Site Domain, Page Parts, and Page Fields).

CVE-2018-6764 https://nvd.nist.gov/vuln/detail/CVE-2018-6764

Description: util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.

CVE-2018-7476 https://nvd.nist.gov/vuln/detail/CVE-2018-7476

Description: controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a ‘<‘ or ‘>’ character.

CVE-2018-7484 https://nvd.nist.gov/vuln/detail/CVE-2018-7484

Description: An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission to the installation directory. In addition, the PureVPNService.exe service, which runs under NT Authority\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from the directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking.

CVE-2018-7172 https://nvd.nist.gov/vuln/detail/CVE-2018-7172

Description: In index.php in WonderCMS 2.4.0, remote attackers can delete arbitrary files via directory traversal.

CVE-2015-3898 https://nvd.nist.gov/vuln/detail/CVE-2015-3898

Description: Multiple open redirect vulnerabilities in Bonita BPM Portal before 6.5.3 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the redirectUrl parameter to (1) bonita/login.jsp or (2) bonita/loginservice.

CVE-2015-5079 https://nvd.nist.gov/vuln/detail/CVE-2015-5079

Description: Directory traversal vulnerability in widgets/logs.php in BlackCat CMS before 1.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the dl parameter.

• MongoDB

CVE-2015-4412 https://nvd.nist.gov/vuln/detail/CVE-2015-4412

Description: BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.

• MySQL

CVE-2018-6521 https://nvd.nist.gov/vuln/detail/CVE-2018-6521

CVSS Severity Score: 9.8 Description: The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.

CVE-2018-7251 https://nvd.nist.gov/vuln/detail/CVE-2018-7251

Description: An issue was discovered in config/error.php in Anchor 0.12.3. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as “Too many connections”) has occurred.

• Oracle

CVE-2018-5762 https://nvd.nist.gov/vuln/detail/CVE-2018-5762

Description: The TLS implementation in the TCP/IP networking module in Unisys ClearPath MCP systems with TCP-IP-SW 58.1 before 58.160, 59.1 before 059.1a.17 (IC #17), and 60.0 before 60.044 might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack.

  • PostgreSQL

CVE-2018-1052 https://nvd.nist.gov/vuln/detail/CVE-2018-1052

Description: Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table.

CVE-2018-1053 https://nvd.nist.gov/vuln/detail/CVE-2018-1053

Description: In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file.

• SAP HANA

CVE-2018-2369 https://nvd.nist.gov/vuln/detail/CVE-2018-2369

Description: Under certain conditions SAP HANA, 1.00, 2.00, allows an unauthenticated attacker to access information which would otherwise be restricted. An attacker can misuse the authentication function of the SAP HANA server on its SQL interface and disclose 8 bytes of the server process memory. The attacker cannot influence or predict the location of the leaked memory.

CVE-2018-2372 https://nvd.nist.gov/vuln/detail/CVE-2018-2372

Description: A plain keystore password is written to a system log file in SAP HANA Extended Application Services, 1.0, which could endanger confidentiality of SSL communication.

CVE-2018-2373 https://nvd.nist.gov/vuln/detail/CVE-2018-2373

Description: Under certain circumstances, a specific endpoint of the Controller’s API could be misused by unauthenticated users to execute SQL statements that deliver information about system configuration in SAP HANA Extended Application Services, 1.0.

CVE-2018-2374 https://nvd.nist.gov/vuln/detail/CVE-2018-2374

CVSS Severity Score: 6.5 Description: In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve sensitive application data like service bindings within that space.

CVE-2018-2375 https://nvd.nist.gov/vuln/detail/CVE-2018-2375

CVSS Severity Score: 8.1 Description: In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve application environments within that space.

CVE-2018-2376 https://nvd.nist.gov/vuln/detail/CVE-2018-2376

CVSS Severity Score: 8.1 Description: In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve application environments within that space.

CVE-2018-2377 https://nvd.nist.gov/vuln/detail/CVE-2018-2377

CVSS Severity Score: 6.5. Description: In SAP HANA Extended Application Services, 1.0, some general server statistics and status information could be retrieved by unauthorized users.

CVE-2018-2378 https://nvd.nist.gov/vuln/detail/CVE-2018-2378

CVSS Severity Score: 6.5 Description: In SAP HANA Extended Application Services, 1.0, unauthorized users can read statistical data about deployed applications including resource consumption.

CVE-2018-2379 https://nvd.nist.gov/vuln/detail/CVE-2018-2379

CVSS Severity Score: 6.5 Description: In SAP HANA Extended Application Services, 1.0, an unauthenticated user could test if a given username is valid by evaluating error messages of a specific endpoint.

• Vertica

CVE-2017-5802 https://nvd.nist.gov/vuln/detail/CVE-2017-5802

Description: A Remote Gain Privileged Access vulnerability in HPE Vertica Analytics Platform version v4.1 and later was found.