Thursday, January 12, 2017

Vulnerability Spotlight: Exploiting the Aerospike Database Server

Vulnerabilities discovered by Talos

Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in  version 3.11.

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media. 

TALOS-2016-0264 (CVE-2016-9050) - Aerospike Database Server Client Message Memory Disclosure Vulnerability
TALOS-2016-0266 (CVE-2016-9052) - Aerospike Database Server Index Name Code Execution Vulnerability
TALOS-2016-0268 (CVE-2016-9054) - Aerospike Database Server Set Name Code Execution Vulnerability


Details

Memory Disclosure Vulnerability


TALOS-2016-0264 involves an exploitable out-of-bounds read vulnerability that exists in the client message-parsing functionality of the Aerospike Database Server. Using a specially crafted packet, an attacker can cause an out-of-bounds read resulting in disclosure of memory within the process by sending this packet to the listening port. This same vulnerability can also be used to trigger a denial-of-service. 

Code Execution Vulnerabilities


TALOS-2016-0266 is an exploitable stack-based buffer overflow vulnerability in the querying functionality of the Aerospike Database server. Using a specially crafted packet, an attacker can cause a stack-based buffer overflow in the ‘as_sindex__simatch_by_iname’ function, resulting in remote code execution. Simply connecting to the listening port, the attacker can trigger this vulnerability.

TALOS-2016-0268 impacts the querying functionality of the Aerospike Database Server. Using a specially crafted packet, an attacker can take advantage of an exploitable stack-based buffer overflow in the 'as_sindex__simatch_list_set_binid’ function to gain remote code execution. The attacker only needs to connect to the listening port to trigger this vulnerability.

Tested Version


Aerospike Database Server 3.10.0.3

Coverage


Aerospike version 3.11 addresses these issues. The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.


Snort Rules: 41206, 41212, 41216

1 comment:

  1. At the time of post, these issues have been addressed in Aerospike version 3.11.

    As recommended, Aerospike must be run in a secure network with only trusted clients, to ensure data safety.

    These type of conditions can potentially still happen in a trusted network environment, as a result of packet corruption cause by faulty network appliances, bugs in virtualization layers, as well as client library bugs, as a result, destabilize a cluster by crashing the Aerospike daemon. Thus, we do take these message corruptions seriously and routinely fix and disclose them in our release notes http://www.aerospike.com/download/server/notes.html

    ReplyDelete

Post a Comment