Vulnerabilities > CVE-2011-4061 - Unspecified vulnerability in IBM DB2 and Tivoli Monitoring FOR Databases

CVSS 6.9 - MEDIUM

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

ibm

nessus

NVD

Published: 2011-10-18

Updated: 2018-10-11

Summary

Multiple untrusted search path vulnerabilities in (1) db2rspgn and (2) kbbacf1 in IBM DB2 Express Edition 9.7, as used in the IBM Tivoli Monitoring for Databases: DB2 Agent, allow local users to gain privileges via a Trojan horse libkbb.so in the current working directory, related to the DT_RPATH ELF header. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM DB2 9.7 IBM Tivoli Monitoring FOR Databases *	2

Nessus

NASL family	Databases
NASL id	DB2_97FP6.NASL
description	According to its version, the installation of DB2 9.7 running on the remote host is prior to Fix Pack 6. It is, therefore, affected by multiple vulnerabilities : - A local user can exploit a vulnerability in the bundled IBM Tivoli Monitoring Agent (ITMA) to escalate their privileges. (CVE-2011-4061) - An authorized user with
last seen	2020-06-01
modified	2020-06-02
plugin id	59904
published	2012-07-10
reporter	This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/59904
title	IBM DB2 9.7 < Fix Pack 6 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(59904); script_version("1.13"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id( "CVE-2011-4061", "CVE-2012-0709", "CVE-2012-0711", "CVE-2012-0712", "CVE-2012-0713", "CVE-2012-2180" ); script_bugtraq_id(51181, 52326, 53873); script_name(english:"IBM DB2 9.7 < Fix Pack 6 Multiple Vulnerabilities"); script_summary(english:"Checks DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of DB2 9.7 running on the remote host is prior to Fix Pack 6. It is, therefore, affected by multiple vulnerabilities : - A local user can exploit a vulnerability in the bundled IBM Tivoli Monitoring Agent (ITMA) to escalate their privileges. (CVE-2011-4061) - An authorized user with 'CONNECT' and 'CREATEIN' privileges on a database can perform unauthorized reads on tables. (CVE-2012-0709) - An unspecified error in the DB2 Administration Server (DAS) can allow remote privilege escalation or denial of service via unspecified vectors. Note that this issue does not affect Windows hosts. (CVE-2012-0711) - An authorized user with 'CONNECT' privileges from 'PUBLIC' can cause a denial of service via unspecified methods related to DB2's XML feature. (CVE-2012-0712) - An unspecified information disclosure error exists related to the XML feature that can allow improper access to arbitrary XML files. (CVE-2012-0713) - An error exists related to the Distributed Relational Database Architecture (DRDA) that can allow denial of service conditions when processing certain request. (CVE-2012-2180)"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC79274"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC80729"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC81380"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC81390"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC81462"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC82234"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21450666"); script_set_attribute(attribute:"solution", value:"Apply IBM DB2 version 9.7 Fix Pack 6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/29"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/10"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_ports("Services/db2das", 523); exit(0); } include("global_settings.inc"); include("audit.inc"); include("misc_func.inc"); include("db2_report_func.inc"); port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/"+port+"/Level"); if (level !~ "^9\.7\.") exit(0, "The version of IBM DB2 listening on port "+port+" is not 9.7."); platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Windows 32-bit/64-bit if (platform == 5 \|\| platform == 23) { fixed_level = '9.7.600.413'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } # Others else if ( # Linux, 2.6 kernel 32/64-bit platform == 18 \|\| platform == 30 \|\| # AIX platform == 20 ) { fixed_level = '9.7.0.6'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (vuln) { report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : fixed_level); } else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);

Oval

accepted

2013-07-29T04:00:07.792-04:00

class

vulnerability

contributors

name Scott Quint
organization DTCC
name Maria Kedovskaya
organization ALTX-SOFT

definition_extensions

comment	IBM DB2 UDB is installed
oval	oval:org.mitre.oval:def:12505

description

family

windows

oval:org.mitre.oval:def:14063

status

accepted

submitted

2011-12-16T09:52:00.000-05:00

title

version

Seebug

bulletinFamily	exploit
description	Bugtraq ID: 51181 CVE ID：CVE-2011-4061 IBM DB2 Universal Database Server是一款大型的商业关系数据库系统 IBM DB2/IBM DB2 Connect存在安全漏洞，允许恶意本地用户提升特权 Tivoli监视代理(ITMA)绑定的SUID "tmaitm6/lx8266/bin/kbbacf1"可执行文件不安全使用DT_RPATH来装载libkbb.so库，本地攻击者可以利用此漏洞诱使目标用户在特制库所在目录运行应用程序，可装载任意库提升权限 0 DB2 Connect 9.x IBM DB2 9.x 厂商解决方案用户可参考如下供应商提供的安全公告获得补丁信息： http://www.ibm.com/support/docview.wss?uid=swg21576372
id	SSV:26133
last seen	2017-11-19
modified	2011-12-30
published	2011-12-30
reporter	Root
title	IBM DB2 / DB2 Connect Tivoli监视代理DT_RPATH特权提升漏洞

Summary

Vulnerable Configurations

Nessus

Oval

Seebug

References