Security experts have discovered two new vulnerabilities in IBMs DB2 database software, both of which allow an attacker to gain root privileges on vulnerable servers.
The weaknesses are potentially quite dangerous, considering that DB2 is one of the most popular enterprise databases, especially for e-business applications. However, the flaws can only be exploited by local users, so the risk is mitigated somewhat.
The vulnerabilities lie in two binaries that ship by default with DB2: db2licm and db2dart. The former is the license management tool for the database and is used by administrators to install license keys and set license policies. The latter is a consistency and error-checking tool that can be used to identify and mark incorrect data.
Both flaws are stack-based buffer overruns and can be triggered by sending long command-line arguments to the vulnerable binaries. Once a local user executes the attack, he would have root privileges on the machine, giving him the ability to run any code he chooses.
“These are classic stack-based buffer overruns and are not too difficult to exploit,” said Ivan Arce, CTO of Core Security Technologies Inc., the Boston-based penetration testing company that discovered the vulnerabilities.
The weaknesses are known to affect version 7.2 of DB2 on Linux systems running on either x86 or S/390 architectures. Its possible that the vulnerabilities might also affect DB2 implementations on other Unix-based systems, Arce said, but Core Security has yet to test any other systems.
IBM has developed packages to fix both flaws, which will be available for download shortly. FixPak 10 repairs the flaw in db2dart and 10a addresses the problem in db2licm. FixPak 10 is currently available on the main DB2 Technical Support page on IBMs site. However, 10a is only posted on an FTP site right now, but should be posted on the FixPak page soon.
Core Security has developed some sample code for these vulnerabilities, which can be used to confirm whether a system is at risk. The code is contained in the companys advisory on this issue, which will be posted on its Web site Thursday.
Discuss this in the eWeek forum.