Vulnerabilities discovered by Talos

Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in  version 3.11.

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media.

TALOS-2016-0264 (CVE-2016-9050) - Aerospike Database Server Client Message Memory Disclosure Vulnerability

TALOS-2016-0266 (CVE-2016-9052) - Aerospike Database Server Index Name Code Execution Vulnerability

TALOS-2016-0268 (CVE-2016-9054) - Aerospike Database Server Set Name Code Execution Vulnerability

Details

Memory Disclosure Vulnerability

TALOS-2016-0264 involves an exploitable out-of-bounds read vulnerability that exists in the client message-parsing functionality of the Aerospike Database Server. Using a specially crafted packet, an attacker can cause an out-of-bounds read resulting in disclosure of memory within the process by sending this packet to the listening port. This same vulnerability can also be used to trigger a denial-of-service.

Code Execution Vulnerabilities

TALOS-2016-0266 is an exploitable stack-based buffer overflow vulnerability in the querying functionality of the Aerospike Database server. Using a specially crafted packet, an attacker can cause a stack-based buffer overflow in the ‘as_sindex__simatch_by_iname’ function, resulting in remote code execution. Simply connecting to the listening port, the attacker can trigger this vulnerability.

TALOS-2016-0268 impacts the querying functionality of the Aerospike Database Server. Using a specially crafted packet, an attacker can take advantage of an exploitable stack-based buffer overflow in the 'as_sindex__simatch_list_set_binid’ function to gain remote code execution. The attacker only needs to connect to the listening port to trigger this vulnerability.

Tested Version

Aerospike Database Server 3.10.0.3

Coverage

Aerospike version 3.11 addresses these issues. The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 41206, 41212, 41216