Privilege elevation with IBM's DB2
Security service provider iDefense has reported multiple vulnerabilities in IBM's DB2 database server. Local users can exploit the vulnerabilities to gain system administrator privileges. IBM has provided fix packs to eliminate the vulnerabilities reported by iDefense as well as additional faults.
DB2 relies on operating system path variables to search for and load executable files and libraries. These variables can, however, be changed by a local attacker, so that an attacker-controlled directory gets searched first. Similar vulnerabilities allow the creation of files and directories with elevated privileges. Some of the server's executables that run with setuid root don't properly validate the environment variable of the temporary directory in which they create their log files. This enables attackers to perform a directory traversal attack by injecting ../ entries. Furthermore local users can exploit a race condition to modify a symbolic link in the file system and therefore gain access privileges to files with root privileges.
The provided fix packs also remedy other vulnerabilities. These allow users of the DB2 Version 8, for instance, to execute methods even when they have had their privileges revoked, until the cached authorisations have been deleted. The summaries for the fix packs list all of the eliminated vulnerabilities. The vulnerabilities affect IBM's DB2 in the versions 8 and 9. IBM provides fix pack 15 for DB2 8 and fix pack 3 for DB2 9, which eliminate the vulnerabilities. DB2 server administrators should install the fix packs and restrict database server access to trustworthy users.
- IBM DB2 Universal Database Multiple Race Condition Vulnerabilities, security advisory from iDefense
- IBM DB2 Universal Database Directory Traversal Vulnerability, security advisory from iDefense
- IBM DB2 Universal Database Multiple File Creation Vulnerabilities, security advisory from iDefense
- IBM DB2 Universal Database Directory Creation Vulnerability, security advisory from iDefense
- IBM DB2 Universal Database Multiple Untrusted Search Path Vulnerabilities, security advisory from iDefense
- IBM DB2 Universal Database buildDasPaths Buffer Overflow Vulnerability, security advisory from iDefense
- EXECUTE AUTHORITY ON A METHOD MAY PERSIST AFTER REVOKE, security advisory from IBM
- Overview of the changes in Fix Pack 15 for DB2 Version 8
- Overview of the changes in Fix Pack 3 for DB2 Version 9
- Download of the fix pack 15 for IBM DB2 v8
- Download of the fix pack 3 for IBM DB2 v9