Vulnerabilities > CVE-2013-3475 - Buffer Errors vulnerability in IBM Db2, DB2 Connect and Smart Analytics System 7600
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in db2aud in the Audit Facility in IBM DB2 and DB2 Connect 9.1, 9.5, 9.7, 9.8, and 10.1, as used in Smart Analytics System 7600 and other products, allows local users to gain privileges via unspecified vectors. Per: http://www-01.ibm.com/support/docview.wss?uid=swg21639355 'The following IBM DB2 and DB2 Connect V9.1, V9.5, V9.7 and V10.1 editions running on AIX, Linux, HP and Solaris (this vulnerability is not applicable to DB2 on Windows.).'
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Databases NASL id DB2_101FP3.NASL description According to its version, the installation of IBM DB2 10.1 running on the remote host is affected by the following vulnerabilities : - A stack-based buffer overflow error exists related to input validation in the Audit facility and could lead to privilege escalation and denial of service attacks. Note this issue does not affected installs on the Windows operating system. (CVE-2013-3475 / IC92498) - When a multi-node configuration is used, an error exists in the Fast Communications Manager (FCM) that could allow denial of service attacks. (CVE-2013-4032 / IC94434) - An unspecified error exists that could allow an attacker to gain SELECT, INSERT, UPDATE, or DELETE permissions to database tables. Note that successful exploitation requires the rights EXPLAIN, SQLADM, or DBADM. (CVE-2013-4033 / IC94757) last seen 2020-06-01 modified 2020-06-02 plugin id 70455 published 2013-10-16 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70455 title IBM DB2 10.1 < Fix Pack 3 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70455); script_version("1.9"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id("CVE-2013-3475", "CVE-2013-4032", "CVE-2013-4033"); script_bugtraq_id(60255, 62018, 62747); script_name(english:"IBM DB2 10.1 < Fix Pack 3 Multiple Vulnerabilities"); script_summary(english:"Checks DB2 signature."); script_set_attribute( attribute:"synopsis", value:"The remote database server is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "According to its version, the installation of IBM DB2 10.1 running on the remote host is affected by the following vulnerabilities : - A stack-based buffer overflow error exists related to input validation in the Audit facility and could lead to privilege escalation and denial of service attacks. Note this issue does not affected installs on the Windows operating system. (CVE-2013-3475 / IC92498) - When a multi-node configuration is used, an error exists in the Fast Communications Manager (FCM) that could allow denial of service attacks. (CVE-2013-4032 / IC94434) - An unspecified error exists that could allow an attacker to gain SELECT, INSERT, UPDATE, or DELETE permissions to database tables. Note that successful exploitation requires the rights EXPLAIN, SQLADM, or DBADM. (CVE-2013-4033 / IC94757)" ); # https://www.ibm.com/blogs/psirt/security-bulletin-ibm-smart-analytics-system-5600-v3-is-affected-by-a-vulnerability-in-the-ibm-db2-fast-communications-manager-cve-2013-4032/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c3d99f6"); # Fix list script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21610582"); # Advisory IC92498 script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21639355"); # Advisory IC94434 script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21650231"); # Advisory IC94757 script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21646809"); script_set_attribute(attribute:"solution", value:"Apply IBM DB2 version 10.1 Fix Pack 3 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2013/09/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_ports("Services/db2das", 523); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("db2_report_func.inc"); port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/" + port + "/Level"); if (level !~ '^10\\.1\\.') exit(0, "The version of IBM DB2 listening on port "+port+" is not 10.1."); platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Windows 32-bit/64-bit if (platform == 5 || platform == 23) { fixed_level = '10.1.300.533'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } # Others else if ( # Linux, 2.6 kernel 32/64-bit platform == 18 || platform == 30 || # AIX platform == 20 ) { fixed_level = '10.1.0.3'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (report) { report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : fixed_level); } else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);NASL family Databases NASL id DB2_97FP9.NASL description According to its version, the installation of IBM DB2 9.7 running on the remote host is prior to Fix Pack 9. It is, therefore, affected by one or more of the following vulnerabilities : - The included software, GSKit, contains several errors related to SSL and TLS that can result in denial of service, information disclosures, or unauthorized insertion of an arbitrary root Certification Authority certificate. (CVE-2012-2190, CVE-2012-2191, CVE-2012-2203, CVE-2013-0169 / IC90395) - A stack-based buffer overflow exists related to last seen 2020-06-01 modified 2020-06-02 plugin id 71519 published 2013-12-18 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71519 title IBM DB2 9.7 < Fix Pack 9 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71519); script_version("1.15"); script_cvs_date("Date: 2019/11/27"); script_cve_id( "CVE-2012-2190", "CVE-2012-2191", "CVE-2012-2203", "CVE-2013-3475", "CVE-2013-4033", "CVE-2013-5466", "CVE-2013-6717" ); script_bugtraq_id( 54743, 55185, 57778, 60255, 62018, 64334, 64336 ); script_name(english:"IBM DB2 9.7 < Fix Pack 9 Multiple Vulnerabilities"); script_summary(english:"Checks the DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM DB2 9.7 running on the remote host is prior to Fix Pack 9. It is, therefore, affected by one or more of the following vulnerabilities : - The included software, GSKit, contains several errors related to SSL and TLS that can result in denial of service, information disclosures, or unauthorized insertion of an arbitrary root Certification Authority certificate. (CVE-2012-2190, CVE-2012-2191, CVE-2012-2203, CVE-2013-0169 / IC90395) - A stack-based buffer overflow exists related to 'db2aud' and 'db2flacc' that allows a local attacker to elevate privileges to that of an instance owner. The 'db2aud' issue does not affect installs on the Windows operating system. (CVE-2013-3475 / IC92495) - An unspecified error exists that allows an attacker to gain SELECT, INSERT, UPDATE, or DELETE permissions to database tables. Note that successful exploitation requires the rights EXPLAIN, SQLADM, or DBADM. (CVE-2013-4033 / IC94523) - An error exists related to the XSLT parser that allows a NULL pointer to be dereferenced. (CVE-2013-5466 / IC97470) - An error exists related to queries containing OLAP specifications that allows remote, authenticated attackers to close database connections and deactivate the database. (CVE-2013-6717 / IC95641)"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21450666#9"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24036646"); script_set_attribute(attribute:"solution", value: "Apply IBM DB2 version 9.7 Fix Pack 9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2203"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/30"); script_set_attribute(attribute:"patch_publication_date", value:"2013/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_ports("Services/db2das", 523); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("db2_report_func.inc"); port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/" + port + "/Level"); if (level !~ "^9\.7\.") exit(0, "The version of IBM DB2 listening on port "+port+" is not 9.7."); platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Windows 32-bit/64-bit if (platform == 5 || platform == 23) { fixed_level = '9.7.900.250'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } # Others else if ( # Linux, 2.6 kernel 32/64-bit platform == 18 || platform == 30 || # AIX platform == 20 ) { fixed_level = '9.7.0.9'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (vuln) { report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : fixed_level); } else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);
References
- http://secunia.com/advisories/52663
- http://secunia.com/advisories/53704
- http://www.securityfocus.com/bid/60255
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC92463
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC92495
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC92496
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC92498
- http://www-01.ibm.com/support/docview.wss?uid=swg21639194
- http://www-01.ibm.com/support/docview.wss?uid=swg21639355
- https://exchange.xforce.ibmcloud.com/vulnerabilities/84358