Tuesday, February 21, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in the Aerospike NoSQL Database Server

Vulnerabilities discovered by Talos

Talos is releasing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from Denial of Service to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. These issues have been addressed in version 3.11.1.1 of the Aerospike Database software. 

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media. 

TALOS-2016-0263 (CVE-2016-9049) - Aerospike Database Server  Fabric_Worker Socket-Loop Denial-of-Service Vulnerability
TALOS-2016-0265 (CVE-2016-9051) - Aerospike Database Server Client Batch Request Code Execution Vulnerability
TALOS-2016-0267 (CVE-2016-9053) - Aerospike Database Server RW Fabric Message Particle Type Code Execution Vulnerability


Details


Denial-of-Service Vulnerability


TALOS-2016-0263 is a DoS vulnerability that exists in the fabric-worker component of the of the Aerospike Database Server. A specially crafted packet can cause the server process to dereference a null pointer. An attacker can simply connect to a TCP port in order to trigger this vulnerability.

Code Execution Vulnerabilities


TALOS-2016-0265 impacts the batch transaction field parsing functionality of the Aerospike Database server. Utilizing a specially crafted packet, an attacker can exploit an out-of-bounds write which causes memory corruption that can lead to remote code execution. The attacker simply needs to connect to the listening port and send the crafted packet to trigger this vulnerability.

TALOS-2016-0267 relates to an out-of-bounds indexing vulnerability in the RW fabric message particle type of the Aerospike Database Server. A specially crafted packet can cause the server to fetch a function table outside the bounds of an array that can result in remote code execution. Simply connecting to the listening port, an attacker can trigger this vulnerability.

Tested Version


Aerospike Database Server 3.10.0.3

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.


Snort Rules: 41209, 41213 & 41219

No comments:

Post a Comment