Security updates for SAP and Ingres databases

iDefense reports that a vulnerability in SAP's MaxDB database, can be exploited in order to elevate privileges on the system hosting it. The report says the dbmsrv application, if run with the command-line tool dbmcli, does not correctly sanitise the PATH environment variable. Use of manipulated PATH variables reportedly enables arbitrary code to be run with SDS privileges. Version 7.6.03.15 under Linux is affected, and other versions may also be vulnerable. According to iDefense – SAP note 1178438 – SAP has issued a new version to eliminate the error.

Apparently the Ingres database, which, for example, is delivered along with many products from Computer Associates, is similarly defective in checking the PATH variable. It also suffers a buffer overflow that allows code to be inserted and run with the rights of the database. The verifydb tool also facilitates an attack by means of symbolic links, so that, for example, system files can be manipulated. Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4) and Ingres 2.6 are affected. The Ingres Service Desk is supplying fixes and recommends that they be applied as quickly as possible.

See also:

• SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability, vulnerability report from iDefense
• Ingres Database for Linux verifydb Insecure File Permissions Modification Vulnerability, vulnerability report from iDefense
• Ingres Database for Linux libbecompat Stack Based Buffer Overflow Vulnerability, vulnerability report from iDefense
• Ingres Database for Linux ingvalidpw Untrusted Library Path Vulnerability, vulnerability report from iDefense
• COMMUNICATION CONTENT, report from Ingres

(trk)