Vulnerabilities discovered by Talos

Talos is releasing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from Denial of Service to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. These issues have been addressed in version 3.11.1.1 of the Aerospike Database software.

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media.

TALOS-2016-0263 (CVE-2016-9049) - Aerospike Database Server  Fabric_Worker Socket-Loop Denial-of-Service Vulnerability

TALOS-2016-0265 (CVE-2016-9051) - Aerospike Database Server Client Batch Request Code Execution Vulnerability

TALOS-2016-0267 (CVE-2016-9053) - Aerospike Database Server RW Fabric Message Particle Type Code Execution Vulnerability

Details

Denial-of-Service Vulnerability

TALOS-2016-0263 is a DoS vulnerability that exists in the fabric-worker component of the of the Aerospike Database Server. A specially crafted packet can cause the server process to dereference a null pointer. An attacker can simply connect to a TCP port in order to trigger this vulnerability.

Code Execution Vulnerabilities

TALOS-2016-0265 impacts the batch transaction field parsing functionality of the Aerospike Database server. Utilizing a specially crafted packet, an attacker can exploit an out-of-bounds write which causes memory corruption that can lead to remote code execution. The attacker simply needs to connect to the listening port and send the crafted packet to trigger this vulnerability.

TALOS-2016-0267 relates to an out-of-bounds indexing vulnerability in the RW fabric message particle type of the Aerospike Database Server. A specially crafted packet can cause the server to fetch a function table outside the bounds of an array that can result in remote code execution. Simply connecting to the listening port, an attacker can trigger this vulnerability.

Tested Version

Aerospike Database Server 3.10.0.3

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 41209, 41213 & 41219