A low-privileged process on a vulnerable machine could allow data harvesting and DoS.
The IBM’s next-gen data-management software suffers from a shared-memory vulnerability that researchers said could lead to other threats — as demonstrated by a new proof-of-concept exploit for the bug.
The IBM Db2 is a family of hybrid data-management products containing artificial intelligence, which can be used to analyze and manage both structured and unstructured data within enterprises.
According to researchers at Trustwave, the recently disclosed bug (CVE-2020-4414) arises because the platform’s developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. If exploited, it could lead to denial-of-service (DoS) or information disclosure.
The trace facility is a function that allows users to isolate certain data points by monitoring selected parameters. This gives users what is essentially a log of control flow information (functions and associated parameter values), which can be helpful in slicing, dicing and separating out data for analysis. As such, the data at risk from an exploit could be literally anything generated within a targeted organization. For a healthcare provider for instance, cybercriminals could make off with HIPAA-protected patient information; a financial company meanwhile could be at risk for a breach of credit-card data.
On the DoS front, Karl Sigler, senior security research manager for SpiderLabs at Trustwave, told Threatpost that “databases are often deployed as critical system. An attacker with a foothold on the system could consistently bring down the database and interrupt whatever system that depends on it and it’s data.”
The crux of the issue is that it allows local privilege-escalation and crashing of the device. The lack of explicit memory protections “allows any local users read-and-write access to that memory area,” Trustwave researchers said, in their PoC exploit writeup for the bug, issued on Thursday. “In turn, this allows them to access critically sensitive data as well as the ability to change how the trace subsystem functions, resulting in a denial-of-service condition in the database.”
They added, “Needless to say, both shouldn’t be possible for regular users.”
While technically an attacker would need to be local, it’s possible to remotely execute such a low-privileged process (i.e., malware) on a vulnerable machine to trigger an exploit: “Low-privileged processes, running on the same computer as Db2 database, can alter Db2 traces and capture sensitive data – and use that later for subsequent attacks,” the researchers explained.
To exploit the bug, attackers can send a specially crafted request to the trace facility.
Trustwave’s PoC starts with launching Process Explorer or other any similar tool in Windows to check open handles of the Db2 main process. Then, the researchers created a simple console application that tries to open a given memory section by name. Once that’s running, an attacker can enable Db2 tracing, which opens the door to an attack.
“And now we can see what’s been written to those memory sections,” according to Trustwave’s analysis. “In the end, this means that an unprivileged local user can abuse this to cause a denial-of-service condition simply by writing incorrect data over that memory section…there are absolutely no permissions assigned to the shared memory so that anyone can read from and write to it.”
Martin Rakhmanov, security research manager for SpiderLabs at Trustwave, elaborated on the PoC for Threatpost.
“I show Process Explorer just to illustrate that shared memory is not protected. It is not required to conduct the attack at all,” he said. “The console application just reads the shared memory and thus can access Db2 trace information. It can be modified (the app) to change the Db2 trace as well. Finally, the attacker needs a low-privileged access to the computer where Db2 server is running.”
“This is not the same as having control of the machine. So anyone who can connect to the computer where Db2 server is running can read/change the Db2 trace which is not good: On the contrary, the tracing facility requires special privileges inside the Db2 but the vulnerability allows to bypass that.”
This shared-memory vulnerability is very similar to one found in the Cisco WebEx Meetings Client on Windows in March (CVE-2020-3347), where any user could read memory dedicated to trace data, Trustwave researchers explained. In that case, any malicious local user or malicious process running on a PC where WebEx is installed can monitor the memory mapped file for a login token. Once found, the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download recordings, view/edit meetings and so on.
All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all platforms are affected by this latest shared-memory flaw, and users should update to the latest version to fix the issue, the firm said.
“This attack could have been widespread, as all Db2 instances of up-to-current version (11.5) on Windows were affected,” Trustwave researchers noted.