IBM is warning infosec pros of a hijacking vulnerability in its DB2 database on Windows.
In a security bulletin issued Thursday, the company said the issue could allow a locally authenticated attacker to execute arbitrary code on the system. The cause is a DLL search order hijacking vulnerability in the Microsoft Windows client.
“By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system,” the bulletin says.
IBM says the issue carries a Common Vulnerability Scoring System (CVSS) Base score of 7.8.
All fix pack levels of IBM DB2 including V9.7 (which reached end of life in September 2017), V10.1, V10.5, V11.1, and V11.5 editions on Windows are affected.
Customers running any vulnerable fixpack level of an affected version can download a special build containing the interim fix for this issue from IBM Fix Central. These special builds are available based on the most recent fixpack level for each impacted release. There are no workarounds or mitigations.
Johannes Ullrich, dean of research at the SANS Technology Institute, doesn’t consider this issue a big deal. “This is a problem with the DLL search order for the Windows client,” he said in an email. “This type of problem is very common in Windows. As Windows software starts, it may load various libraries (DLLs). To find the right DLL, the software will search a number of different locations. If an attacker can place a malicious DLL in one of these locations, it will be executed instead of the valid code provided by IBM or others.
“To exploit this, an attacker needs to be able to place the file on the victim’s system first (and place it in the right directory). This requires some access to the system. DB2 is only used by a relatively small number of organizations these days (but many of them are high value, like financial and insurance industry). But given how common these DLL search order vulnerabilities are, it is likely that an attacker would use more common software to launch an exploit like this.”
Meanwhile, Cisco has issued patches for its Webex Meetings server and client application to close vulnerabilities that allowed a hacker to listen in to meetings without being detected. A so-called ‘ghost’ attendee could have picked up valuable corporate intelligence.
The vulnerabilities, discovered by IBM researchers, allow a person to have full access to audio, video, chat and screen-sharing without being seen on the participant list. In fact they could stay in a Webex meeting and listen in even after being expelled from a session by maintaining the audio connection.
These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants, IBM explained. Usually, a client system and a server conduct a handshake process by exchanging ‘join’ messages with information about the attendees, client application, meeting ID, meeting room details and more.
A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others.