Vulnerabilities > CVE-2015-1947 - Local Privilege Escalation vulnerability in IBM Infosphere BigInsights
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Untrusted search path vulnerability in IBM InfoSphere BigInsights 3.0, 3.0.0.1, 3.0.0.2, and 4.0, when a DB2 database is used, allows local users to gain privileges via a Trojan horse library that is loaded by a setuid or setgid program. <a href="http://cwe.mitre.org/data/definitions/426.html">CWE-426: Untrusted Search Path</a>
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Nessus
NASL family Databases NASL id DB2_105FP7_NIX.NASL description According to its version, the installation of IBM DB2 10.5 running on the remote host is prior to Fix Pack 7. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204) - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - A privilege escalation vulnerability exists due to an untrusted search path flaw. A local attacker can exploit this, via a specially crafted library that is loaded by a setuid or setgid process, to gain elevated privileges on the system. (CVE-2015-1947) - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000) Note that several of these vulnerabilities are due to the bundled GSKit component and the embedded FCM 4.1 libraries. last seen 2020-06-01 modified 2020-06-02 plugin id 87764 published 2016-01-06 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87764 title IBM DB2 10.5 < Fix Pack 7 Multiple Vulnerabilities (Linux) (Bar Mitzvah) (FREAK) (Logjam) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87764); script_version("1.11"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_cve_id( "CVE-2015-0204", "CVE-2015-1788", "CVE-2015-1947", "CVE-2015-2808", "CVE-2015-4000" ); script_bugtraq_id( 71936, 73684, 74733, 75158, 79693 ); script_xref(name:"CERT", value:"243585"); script_name(english:"IBM DB2 10.5 < Fix Pack 7 Multiple Vulnerabilities (Linux) (Bar Mitzvah) (FREAK) (Logjam)"); script_summary(english:"Checks the DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM DB2 10.5 running on the remote host is prior to Fix Pack 7. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204) - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - A privilege escalation vulnerability exists due to an untrusted search path flaw. A local attacker can exploit this, via a specially crafted library that is loaded by a setuid or setgid process, to gain elevated privileges on the system. (CVE-2015-1947) - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000) Note that several of these vulnerabilities are due to the bundled GSKit component and the embedded FCM 4.1 libraries."); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21647054#7"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg1IT07394"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg1IT08753"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg1IT09900"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg1IT09964"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg1IT09969"); # https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bbf45ac"); script_set_attribute(attribute:"see_also", value:"https://www.smacktls.com/#freak"); script_set_attribute(attribute:"see_also", value:"https://weakdh.org/"); script_set_attribute(attribute:"solution", value: "Apply IBM DB2 version 10.5 Fix Pack 7 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:TF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:T/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_installed.nbin"); script_require_keys("installed_sw/DB2 Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); include("db2_report_func.inc"); app_name = "DB2 Server"; install = get_single_install(app_name:app_name); version = install['version']; path = install['path']; port = 0; # DB2 has an optional OpenSSH server that will run on # windows. We need to exit out if we picked up the windows # installation that way. if ("windows" >< tolower(install['platform'])) audit(AUDIT_HOST_NOT, "Linux based operating system"); fixed = "10.5.0.7"; if (version =~ "^10\.5\." && ver_compare(ver:version, fix:fixed, strict:FALSE) < 0) { report_db2( severity : SECURITY_WARNING, port : port, installed_level : version, product : app_name, path : path, fixed_level : fixed); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);NASL family Windows NASL id DB2_105FP7_WIN.NASL description According to its version, the installation of IBM DB2 10.5 running on the remote host is prior to Fix Pack 7. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204) - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - A privilege escalation vulnerability exists due to an untrusted search path flaw. A local attacker can exploit this, via a specially crafted library that is loaded by a setuid or setgid process, to gain elevated privileges on the system. (CVE-2015-1947) - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000) Note that several of these vulnerabilities are due to the bundled GSKit component and the embedded FCM 4.1 libraries. last seen 2020-06-01 modified 2020-06-02 plugin id 87765 published 2016-01-06 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87765 title IBM DB2 10.5 < Fix Pack 7 Multiple Vulnerabilities (Bar Mitzvah) (FREAK) (Logjam)