iDefense Security Advisory 08.16.07: IBM DB2 Universal Database Multiple Race Condition Vulnerabilities

2007-08-18T00:00:00

Description

IBM DB2 Universal Database Multiple Race Condition Vulnerabilities iDefense Security Advisory 08.16.07 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 16, 2007 I. BACKGROUND IBM Corp.'s DB2 Universal Database product is a large database server product commonly used for high end databases. For more information, visit the following URL. http://ibm.com/db2/ II. DESCRIPTION Local exploitation of multiple race condition vulnerabilities in IBM Corp.'s DB2 Universal Database could allow attackers to elevate privileges to the superuser. These vulnerabilities are due to insufficient checking being performed while handling files with elevated privileges. In each case, a race condition exists between a check to see if an existing file is a symbolic link and modifying it. By quickly and repeatedly removing and recreating the file as a symbolic link, an attacker could modify arbitrary files with root privileges. III. ANALYSIS Exploitation allows local attackers to gain root privileges. Depending on the specific vulnerability, the attacker may have little or no control over the contents of data written to the file. In most cases, this does not significantly impact exploitation since file permissions allow the file to be written to by the attacker. IV. DETECTION iDefense confirmed the existence of these vulnerabilities in version 9.1 Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system. All prior versions, as well as builds for other UNIX-based operating systems, are suspected to be vulnerable. V. WORKAROUND Setting more strict permissions on the DB2 instance directory can help mitigate some of these vulnerabilities. Removing the setuid-bit from all programs included with DB2 can also help mitigate exposure. Note, these configuration changes have not been thoroughly tested and may cause adverse behavior. VI. VENDOR RESPONSE IBM Corp. has addressed these vulnerabilities by releasing V9 Fix Pack 3 and version V8 FixPak 15 of its Universal Database product. More information can be found at the following URLs. V8: http://www-1.ibm.com/support/docview.wss?uid=swg21256235 V9: http://www-1.ibm.com/support/docview.wss?uid=swg21255572 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4270 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/22/2007 Initial vendor notification 03/23/2007 Initial vendor response 08/16/2007 Coordinated public disclosure IX. CREDIT These vulnerabilities were discovered by an anonymous researcher and Joshua J. Drake (iDefense Labs). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

{"id": "SECURITYVULNS:DOC:17837", "bulletinFamily": "software", "title": "iDefense Security Advisory 08.16.07: IBM DB2 Universal Database Multiple Race Condition Vulnerabilities", "description": "IBM DB2 Universal Database Multiple Race Condition Vulnerabilities\r\n\r\niDefense Security Advisory 08.16.07\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nAug 16, 2007\r\n\r\nI. BACKGROUND\r\n\r\nIBM Corp.'s DB2 Universal Database product is a large database server\r\nproduct commonly used for high end databases. For more information,\r\nvisit the following URL.\r\n\r\nhttp://ibm.com/db2/\r\n\r\nII. DESCRIPTION\r\n\r\nLocal exploitation of multiple race condition vulnerabilities in IBM\r\nCorp.'s DB2 Universal Database could allow attackers to elevate\r\nprivileges to the superuser.\r\n\r\nThese vulnerabilities are due to insufficient checking being performed\r\nwhile handling files with elevated privileges. In each case, a race\r\ncondition exists between a check to see if an existing file is a\r\nsymbolic link and modifying it. By quickly and repeatedly removing and\r\nrecreating the file as a symbolic link, an attacker could modify\r\narbitrary files with root privileges.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation allows local attackers to gain root privileges.\r\n\r\nDepending on the specific vulnerability, the attacker may have little or\r\nno control over the contents of data written to the file. In most cases,\r\nthis does not significantly impact exploitation since file permissions\r\nallow the file to be written to by the attacker.\r\n\r\nIV. DETECTION\r\n\r\niDefense confirmed the existence of these vulnerabilities in version 9.1\r\nFix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux\r\nsystem. All prior versions, as well as builds for other UNIX-based\r\noperating systems, are suspected to be vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nSetting more strict permissions on the DB2 instance directory can help\r\nmitigate some of these vulnerabilities. Removing the setuid-bit from\r\nall programs included with DB2 can also help mitigate exposure. Note,\r\nthese configuration changes have not been thoroughly tested and may\r\ncause adverse behavior.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nIBM Corp. has addressed these vulnerabilities by releasing V9 Fix Pack 3\r\nand version V8 FixPak 15 of its Universal Database product. More\r\ninformation can be found at the following URLs.\r\n\r\nV8: http://www-1.ibm.com/support/docview.wss?uid=swg21256235\r\nV9: http://www-1.ibm.com/support/docview.wss?uid=swg21255572\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2007-4270 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n03/22/2007 Initial vendor notification\r\n03/23/2007 Initial vendor response\r\n08/16/2007 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThese vulnerabilities were discovered by an anonymous researcher and\r\nJoshua J. Drake (iDefense Labs).\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2007 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "published": "2007-08-18T00:00:00", "modified": "2007-08-18T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17837", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2007-4270"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:23", "edition": 1, "viewCount": 39, "enchantments": {"score": {"value": 0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2007-4270"]}, {"type": "nessus", "idList": ["DB2_9FP3.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8068"]}, {"type": "seebug", "idList": ["SSV:2138"]}]}, "exploitation": null, "vulnersScore": 0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645330218, "score": 1659803227}, "_internal": {"score_hash": "81c6f294a8cddde15ae6bbf887496e3b"}}

{"cve": [{"lastseen": "2022-03-23T12:55:13", "description": "Multiple race conditions in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to gain root privileges via a symlink attack on certain files.", "cvss3": {}, "published": "2007-08-18T21:17:00", "type": "cve", "title": "CVE-2007-4270", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-4270"], "modified": "2017-07-29T01:32:00", "cpe": ["cpe:/a:ibm:db2_universal_database:9.1", "cpe:/a:ibm:db2_universal_database:8.0"], "id": "CVE-2007-4270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4270", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ibm:db2_universal_database:9.1:*:fp2:*:*:*:*:*", "cpe:2.3:a:ibm:db2_universal_database:8.0:fp14:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:52:45", "bulletinFamily": "software", "cvelist": ["CVE-2007-4275", "CVE-2007-4271", "CVE-2007-4270", "CVE-2007-4272", "CVE-2007-4273", "CVE-2007-4276"], "description": "Directory traversal, buffer overflow, shared libraries loaded from insecure locations, files and directories manipulation.", "edition": 2, "modified": "2007-08-18T00:00:00", "published": "2007-08-18T00:00:00", "id": "SECURITYVULNS:VULN:8068", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8068", "title": "IBM DB2 database multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T21:59:35", "description": "BUGTRAQ ID: 25339\r\nCVE(CAN) ID: CVE-2007-4270,CVE-2007-4271,CVE-2007-4272,CVE-2007-4273,CVE-2007-4275,CVE-2007-4276\r\n\r\nIBM DB2\u662f\u4e00\u4e2a\u5927\u578b\u7684\u5546\u4e1a\u5173\u7cfb\u6570\u636e\u5e93\u7cfb\u7edf\uff0c\u9762\u5411\u7535\u5b50\u5546\u52a1\u3001\u5546\u4e1a\u8d44\u8baf\u3001\u5185\u5bb9\u7ba1\u7406\u3001\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\u7b49\u5e94\u7528\uff0c\u53ef\u8fd0\u884c\u4e8eAIX\u3001HP-UX\u3001Linux\u3001Solaris\u3001Windows\u7b49\u7cfb\u7edf\u3002\r\n\r\nIBM DB2\u7684\u591a\u4e2a\u5de5\u5177\u5b9e\u73b0\u4e0a\u5b58\u5728\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u8fd9\u4e9b\u6f0f\u6d1e\u63d0\u5347\u81ea\u5df1\u7684\u6743\u9650\u3002\r\n\r\nIBM DB2\u5728\u5904\u7406\u62e5\u6709\u63d0\u5347\u6743\u9650\u7684\u6587\u4ef6\u65f6\u6ca1\u6709\u6267\u884c\u5145\u5206\u7684\u68c0\u67e5\uff0c\u5bfc\u81f4\u5728\u5224\u65ad\u73b0\u6709\u6587\u4ef6\u662f\u5426\u4e3a\u7b26\u53f7\u94fe\u63a5\u548c\u4fee\u6539\u6587\u4ef6\u4e4b\u95f4\u5b58\u5728\u7ade\u4e89\u6761\u4ef6\u3002\u5982\u679c\u653b\u51fb\u8005\u80fd\u591f\u8fc5\u901f\u5e76\u53cd\u590d\u7684\u91cd\u65b0\u521b\u5efa\u7b26\u53f7\u94fe\u63a5\u6587\u4ef6\uff0c\u5c31\u53ef\u80fd\u4ee5root\u7528\u6237\u6743\u9650\u4fee\u6539\u4efb\u610f\u6587\u4ef6\u3002\r\n\r\n\u4e00\u4e9b\u4ee5setuid-root\u5b89\u88c5\u7684DB2\u4e8c\u8fdb\u5236\u7a0b\u5e8f\u4f1a\u5c06\u4e8b\u4ef6\u4fe1\u606f\u4fdd\u5b58\u5230\u65e5\u5fd7\u6587\u4ef6\u3002\u5728\u521b\u5efa\u5230\u76ee\u6807\u6587\u4ef6\u7684\u5b8c\u6574\u8def\u5f84\u65f6\uff0c\u4f1a\u5c06/tmp/\u8fde\u63a5\u5230\u73af\u5883\u53d8\u91cf\u4e0a\u3002\u7531\u4e8e\u6ca1\u6709\u5bf9\u73af\u5883\u53d8\u91cf\u4e2d\u7684\u8def\u5f84\u904d\u5386\u5b57\u7b26\u4e32\uff08\u5982../\uff09\u6267\u884c\u68c0\u67e5\uff0c\u56e0\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u76ee\u5f55\u904d\u5386\u653b\u51fb\u5728\u7cfb\u7edf\u4e0a\u521b\u5efa\u4efb\u610f\u6587\u4ef6\u3002 \r\n\r\nIBM DB2\u5728\u5904\u7406\u62e5\u6709\u63d0\u5347\u6743\u9650\u7684\u6587\u4ef6\u65f6\u6ca1\u6709\u6267\u884c\u5145\u5206\u7684\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u7ed3\u5408\u73af\u5883\u53d8\u91cf\u5728\u7cfb\u7edf\u4e0a\u521b\u5efa\u6216\u9644\u52a0\u4efb\u610f\u6587\u4ef6\u3002\r\n\r\nDB2\u4e2d\u6240\u6346\u7ed1\u7684\u4e00\u4e9bsetuid\u4e8c\u8fdb\u5236\u7a0b\u5e8f\u6ca1\u6709\u5b89\u5168\u7684\u521b\u5efa\u76ee\u5f55\uff0c\u5728\u521b\u5efa\u7279\u5b9a\u7684\u76ee\u5f55\u7ed3\u6784\u65f6\u4f1a\u8ddf\u968f\u653b\u51fb\u8005\u7279\u5236\u7684\u7b26\u53f7\u94fe\u63a5\uff0c\u5bfc\u81f4\u5728\u6587\u4ef6\u7cfb\u7edf\u4e2d\u7684\u4efb\u610f\u4f4d\u7f6e\u521b\u5efa\u5b8c\u5168\u53ef\u5199\u7684\u76ee\u5f55\u3002\r\n\r\nDB2\u53ef\u80fd\u5141\u8bb8\u5728\u4e0d\u53ef\u4fe1\u4efb\u7684\u8def\u5f84\u4e2d\u6267\u884c\u4e8c\u8fdb\u5236\u7a0b\u5e8f\u6216\u52a0\u8f7d\u51fd\u6570\u5e93\uff0c\u751f\u6210\u4e8c\u8fdb\u5236\u7a0b\u5e8f\u6216\u51fd\u6570\u5e93\u7684\u8def\u5f84\u662f\u57fa\u4e8e\u653b\u51fb\u8005\u63a7\u5236\u7684\u73af\u5883\u53d8\u91cf\u7684\uff1b\u6b64\u5916\u6240\u8981\u6267\u884c\u6216\u52a0\u8f7d\u7684\u6587\u4ef6\u4e5f\u662f\u4f4d\u4e8e\u653b\u51fb\u8005\u63a7\u5236\u7684\u76ee\u5f55\u4e2d\u3002\r\n\r\nDB2\u6ca1\u6709\u5bf9\u7528\u6237\u63d0\u4f9b\u6570\u636e\u7684\u957f\u5ea6\u6267\u884c\u5145\u5206\u7684\u9a8c\u8bc1\uff0c\u5982\u679c\u653b\u51fb\u8005\u901a\u8fc7\u67d0\u4e9b\u73af\u5883\u53d8\u91cf\u6307\u5b9a\u4e86\u7279\u5236\u7684\u5b57\u7b26\u4e32\u7684\u8bdd\uff0c\u5c31\u53ef\u80fd\u5c06\u5b57\u7b26\u4e32\u62f7\u8d1d\u5230\u6808\u4e0a\u6240\u5b58\u50a8\u7684\u9759\u6001\u5927\u5c0f\u7f13\u51b2\u533a\uff0c\u89e6\u53d1\u6808\u6ea2\u51fa\u5e76\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\n\nIBM DB2 Universal Database 9.1\r\nIBM DB2 Universal Database 8.0\n \u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=\"http://www-1.ibm.com/support/docview.wss?uid=swg1IY88226\" target=\"_blank\">http://www-1.ibm.com/support/docview.wss?uid=swg1IY88226</a>\r\n<a href=\"http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940\" target=\"_blank\">http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940</a>\r\n<a href=\"http://www-1.ibm.com/support/docview.wss?uid=swg21255352\" target=\"_blank\">http://www-1.ibm.com/support/docview.wss?uid=swg21255352</a>\r\n<a href=\"http://www-1.ibm.com/support/docview.wss?uid=swg21255607\" target=\"_blank\">http://www-1.ibm.com/support/docview.wss?uid=swg21255607</a>", "published": "2007-08-19T00:00:00", "title": "IBM DB2 Universal Database\u591a\u4e2a\u672c\u5730\u5b89\u5168\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4270", "CVE-2007-4271", "CVE-2007-4272", "CVE-2007-4273", "CVE-2007-4275", "CVE-2007-4276"], "modified": "2007-08-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2138", "id": "SSV:2138", "sourceData": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2022-04-12T15:35:22", "description": "According to its version, the installation of IBM DB2 running on the remote host is affected by one or more of the following issues :\n\n - A local user may be able to overwrite arbitrary files, create arbitrary world-writeable directories, or gain root privileges via symlink attacks or specially crafted environment variables. (IY98210 / IY99261)\n\n - A user may be able to continue to execute a method even once privileges for the method have been revoked.\n (IY88226, version 8 only)\n\n - There is an unspecified issue allowing for privilege elevation when DB2 'execs' executables while running as root. (IY98206 / IY98176)\n\n - There is an unspecified vulnerability related to incorrect authorization routines. (JR25940, version 8 only)\n\n - There is an unspecified vulnerability in 'AUTH_LIST_GROUPS_FOR_AUTHID'. (IZ01828, version 9.1 only)\n\n - There is an unspecified vulnerability in the 'db2licm' and 'db2pd' tools. (IY97922 / IY97936)\n\n - There is an unspecified vulnerability involving 'db2licd' and the 'OSSEMEMDBG' and 'TRC_LOG_FILE' environment variables. (IY98011 / IY98101)\n\n - There is a buffer overflow involving the 'DASPROF' environment variable. (IY97346 / IY99311)\n\n - There is an unspecified vulnerability that can arise during instance and FMP startup. (IZ01923 / IZ02067)\n\n - The DB2JDS service may allow for arbitrary code execution without the need for authentication due to a stack overflow in an internal sprintf() call.\n (IY97750, version 8 only)\n\n - The DB2JDS service is affected by two denial of service issues that can be triggered by packets with an invalid LANG parameter or a long packet, which cause the process to terminate (version 8 only).\n\nNote that there is currently insufficient information to determine to what extent the first set of issues overlaps the others.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2007-08-20T00:00:00", "type": "nessus", "title": "IBM DB2 < 9 Fix Pack 3 / 8 Fix Pack 15 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-2582", "CVE-2007-4270", "CVE-2007-4271", "CVE-2007-4272", "CVE-2007-4273", "CVE-2007-4275", "CVE-2007-4276", "CVE-2007-4417", "CVE-2007-4418", "CVE-2007-4423"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:ibm:db2"], "id": "DB2_9FP3.NASL", "href": "https://www.tenable.com/plugins/nessus/25905", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(25905);\n script_version(\"1.35\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2007-2582\",\n \"CVE-2007-4270\",\n \"CVE-2007-4271\",\n \"CVE-2007-4272\",\n \"CVE-2007-4273\",\n \"CVE-2007-4275\",\n \"CVE-2007-4276\",\n \"CVE-2007-4417\",\n \"CVE-2007-4418\",\n \"CVE-2007-4423\"\n );\n script_bugtraq_id(23890, 25339, 26010);\n\n script_name(english:\"IBM DB2 < 9 Fix Pack 3 / 8 Fix Pack 15 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of IBM DB2 running on the\nremote host is affected by one or more of the following issues :\n\n - A local user may be able to overwrite arbitrary files,\n create arbitrary world-writeable directories, or gain\n root privileges via symlink attacks or specially\n crafted environment variables. (IY98210 / IY99261)\n\n - A user may be able to continue to execute a method even \n once privileges for the method have been revoked.\n (IY88226, version 8 only)\n\n - There is an unspecified issue allowing for privilege\n elevation when DB2 'execs' executables while running as \n root. (IY98206 / IY98176)\n\n - There is an unspecified vulnerability related to\n incorrect authorization routines. (JR25940, version 8\n only)\n\n - There is an unspecified vulnerability in \n 'AUTH_LIST_GROUPS_FOR_AUTHID'. (IZ01828, version 9.1 \n only)\n\n - There is an unspecified vulnerability in the 'db2licm'\n and 'db2pd' tools. (IY97922 / IY97936)\n\n - There is an unspecified vulnerability involving\n 'db2licd' and the 'OSSEMEMDBG' and 'TRC_LOG_FILE'\n environment variables. (IY98011 / IY98101)\n\n - There is a buffer overflow involving the 'DASPROF'\n environment variable. (IY97346 / IY99311)\n\n - There is an unspecified vulnerability that can arise \n during instance and FMP startup. (IZ01923 / IZ02067)\n\n - The DB2JDS service may allow for arbitrary code\n execution without the need for authentication due to a\n stack overflow in an internal sprintf() call.\n (IY97750, version 8 only)\n\n - The DB2JDS service is affected by two denial of service\n issues that can be triggered by packets with an invalid\n LANG parameter or a long packet, which cause the process\n to terminate (version 8 only).\n\nNote that there is currently insufficient information to determine to\nwhat extent the first set of issues overlaps the others.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.trustwave.com/Company/AppSecInc-is-now-Trustwave/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Aug/313\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Aug/314\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Aug/315\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Aug/316\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Aug/317\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Aug/318\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Aug/319\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2007/Oct/153\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21255607\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-1.ibm.com/support/docview.wss?uid=swg21255352\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply IBM DB2 version 9 Fix Pack 3 / 8.1 Fix Pack 15 / 8.2 Fix Pack 8\nor later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(22, 119, 134);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/08/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:db2\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"db2_das_detect.nasl\");\n script_require_ports(\"Services/db2das\", 523);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"db2_report_func.inc\");\n\nport = get_service(svc:'db2das', default:523, exit_on_fail:TRUE);\n\nlevel = get_kb_item_or_exit(\"DB2/\"+port+\"/Level\");\nif (\n level !~ '^9\\\\.[01]\\\\.' &&\n level !~ '^([0-7]\\\\.|8\\\\.[01])'\n) exit(0, \"The version of IBM DB2 listening on port \"+port+\" is not 9.0, 9.1, or less than or equal to 8.1.x and thus is not affected.\");\n\nplatform = get_kb_item_or_exit(\"DB2/\"+port+\"/Platform\");\nplatform_name = get_kb_item(\"DB2/\"+port+\"/Platform_Name\");\nif (isnull(platform_name))\n{\n platform_name = platform;\n report_phrase = \"platform \" + platform;\n}\nelse\n report_phrase = platform_name;\n\nvuln = FALSE;\n# Windows x86\nif (platform == 5)\n{\n if (level =~ '^9\\\\.')\n {\n fixed_level = '9.1.300.257';\n if (ver_compare(ver:level, fix:fixed_level) == -1)\n vuln = TRUE;\n }\n else\n {\n fixed_level = '8.1.15.254';\n if (ver_compare(ver:level, fix:fixed_level) == -1)\n vuln = TRUE;\n }\n}\nelse if (platform == 18)\n{\n if (level =~ '^9\\\\.')\n {\n fixed_level = '9.1.0.3';\n if (ver_compare(ver:level, fix:fixed_level) == -1)\n vuln = TRUE;\n }\n else\n {\n if (level =~ '^8\\\\.1\\\\.0\\\\.') fixed_level = '8.1.0.136';\n else fixed_level = '8.1.2.136';\n\n if (ver_compare(ver:level, fix:fixed_level) == -1)\n vuln = TRUE;\n }\n}\nelse\n{\n info =\n 'Nessus does not support version checks against ' + report_phrase + '.\\n' +\n 'To help us better identify vulnerable versions, please send the platform\\n' +\n 'number along with details about the platform, including the operating system\\n' +\n 'version, CPU architecture, and DB2 version to db2-platform-info@nessus.org.\\n';\n exit(1, info);\n}\n\nif (vuln)\n{\n report_db2(\n severity : SECURITY_HOLE,\n port : port,\n platform_name : platform_name,\n installed_level : level,\n fixed_level : fixed_level);\n}\nelse exit(0, \"IBM DB2 \"+level+\" on \" + report_phrase + \" is listening on port \"+port+\" and is not affected.\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

iDefense Security Advisory 08.16.07: IBM DB2 Universal Database Multiple Race Condition Vulnerabilities

Description

Related