IBM urges infosec pros to patch DB2 for Windows, Cisco urges patches for Webex Meetings

IBM is warning infosec pros of a hijacking vulnerability in its DB2 database on Windows.

In a security bulletin issued Thursday, the company said the issue could allow a locally authenticated attacker to execute arbitrary code on the system. The cause is a DLL search order hijacking vulnerability in the Microsoft Windows client.

“By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system,” the bulletin says.

IBM says the issue carries a  Common Vulnerability Scoring System (CVSS) Base score of 7.8.

All fix pack levels of IBM DB2 including V9.7 (which reached end of life in September 2017), V10.1, V10.5, V11.1, and V11.5 editions on Windows are affected.

Customers running any vulnerable fixpack level of an affected version can download a special build containing the interim fix for this issue from IBM Fix Central. These special builds are available based on the most recent fixpack level for each impacted release. There are no workarounds or mitigations.

Johannes Ullrich, dean of research at the SANS Technology Institute, doesn’t consider this issue a big deal. “This is a problem with the DLL search order for the Windows client,” he said in an email. “This type of problem is very common in Windows. As Windows software starts, it may load various libraries (DLLs). To find the right DLL, the software will search a number of different locations. If an attacker can place a malicious DLL in one of these locations, it will be executed instead of the valid code provided by IBM or others.

“To exploit this, an attacker needs to be able to place the file on the victim’s system first (and place it in the right directory). This requires some access to the system. DB2 is only used by a relatively small number of organizations these days (but many of them are high value, like financial and insurance industry). But given how common these DLL search order vulnerabilities are, it is likely that an attacker would use more common software to launch an exploit like this.”

Meanwhile, Cisco has issued patches for its Webex Meetings server and client application to close vulnerabilities that allowed a hacker to listen in to meetings without being detected. A so-called ‘ghost’ attendee could have picked up valuable corporate intelligence.

The vulnerabilities, discovered by IBM researchers, allow a person to have full access to audio, video, chat and screen-sharing without being seen on the participant list. In fact they could stay in a Webex meeting and listen in even after being expelled from a session by maintaining the audio connection.

These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants, IBM explained. Usually, a client system and a server conduct a handshake process by exchanging ‘join’ messages with information about the attendees, client application, meeting ID, meeting room details and more.

A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now