Widely used DB2 database software from IBM — which often stores critical data, such as credit card information — has flaws that would be “trivial” for attackers to exploit.
The holes, uncovered by Core Security, a network security firm, involve simple stack-based buffer overflows and are triggered by sending a long command-line argument to two vulnerable binary files — db2licm and db2dart — the default software in DB2 intended for license management and error checking.
Boston-based Core Security said in its advisory that it had tested and found DB2 7.2 versions running Linux to be vulnerable, but that other DB2 versions, which include AIX, HP-UX, Solaris and Windows, also might be in danger.
However, the vulnerabilities were mitigated by the fact that there is no remote access, and IBM issued a patch for all versions of the database server software.
Describing exploitation of the vulnerabilities as “trivial,” Core Security said default access privileges could be used in concert with the flaws to achieve root privileges or total control of the DB2 server.
“For an internal user, this could be a serious vulnerability,” Core spokesperson Mike Yaffe told TechNewsWorld. “It does allow a user to escalate privileges and become the superuser.”
Yaffe, who said Core has worked closely with IBM on the vulnerabilities since Core uncovered them six weeks ago, added that IBM’s patch is “comprehensive” and covers all versions of the database software.
The popular database software, geared toward e-business, business intelligence, content management, resource planning and customer relationship management, can be deployed on several different operating systems.
While IBM’s Web page indicates there are more than 60 million DB2 users at 400,000 companies worldwide, a spokesperson for Big Blue said the vulnerabilities only involve DB2 on the Linux platform and downplayed the number of impacted users.
Although Core Security published exploit code for the DB2 Linux versions running on x86 and s390 systems to test for the vulnerability, the IBM representative said there have been no reports of attacks.
Keeping the Crown Jewels
Gartner research vice president Richard Stiennon told TechNewsWorld that although the DB2 flaws are “the kind of vulnerability hackers are looking for,” most DB2 servers are not connected to the Internet and are therefore not as vulnerable.
Still, Stiennon said, the weaknesses could be exploited by a computer worm similar to SQL Slammer, which snarled networks as it spread among Microsoft SQL Server installations in January.
“It doesn’t raise the threat scenario of targeted attacks,” he said. “But it does raise the specter of a worm that would spread through DB2 servers; that would be pretty devastating.”
While he said he was not surprised by disclosure of the flaws, Stiennon noted that the information typically stored on DB2 servers is critical.
“Database servers don’t get looked at a lot, yet that’s where the jewels are kept,” he said. “The crown jewels for e-commerce sites are stored on database servers — that’s where those credit card numbers are. That’s why our advice is [to] encrypt that data. It’s so simple. Just encrypt it.
“You just don’t want to succumb to the criminal attacks that are looking for those things.”