Database vulnerability threat report in the first half of 2015
Monday, July 13, 2015
Anhuajin, the database security manufacturer, and the latest "database vulnerability threat report in the first half of 2015", the report shows that 44 database vulnerabilities have been identified as of June 2015, which is expected to reach 87 in the whole year.
1、 Review of data leakage in the first half of 2015
Verizon's 2015 annual data leakage investigation report reviewed 79790 global security incidents and 2122 confirmed data leakage incidents in 2014. According to the annual Verizon statistical report, the global database leakage events show a gradual increase trend. It can be predicted that more data leakage events may occur in 2015. In the first half of 2015, there were a number of data leakage events around the world that had a significant impact and directly related to the database.
·Bitstamp, the world's second-largest bitcoin trading website, was hacked. The new bank Trojan emotet stole the online banking certificate of German netizens. The hacker hacked into Swiss bank, extorted the bank by using user information. Verizon, the US telecom giant, revealed that it had major security loopholes, disclosed all the information of customers. The "train ticket master" app was exposed to leak 3 million passwords· The social security system of more than 30 provinces in China has exposed high-risk loopholes, tens of millions of social security users' information has been leaked. The SQL injection database information on Yonghe Dawang's official website has been completely leaked. The high-risk loopholes in the front forum have resulted in 27 million users' data leakage. The database collision test of Hanting hotel has proved that more than 8000 users' sensitive information has been leaked. The Oracle database configuration information of China Southern Airlines has been leaked· A system of Guangxi health department or the sensitive information of tens of millions of residents in the whole province. The platform of a provincial company of China Telecom leaks 7 million user information (number, package, model, call, traffic)
There are many such events. One of the main reasons for data leakage is that hackers invade the database by using database vulnerabilities. By combing the database vulnerabilities newly identified this year, this paper tries to point out the key points and difficulties of database vulnerability protection work for customers this year.
The vulnerability of this article is taken from NVD (national vulnerability database of the United States). The figure below shows the total number of vulnerabilities in seven major databases (Oracle, MSSQL, mysql, DB2, Informix, Sybase, PostgreSQL) between 2011 and 2015. The number of identified database vulnerabilities is fluctuating every year. When the database is released with new functions, the number of vulnerabilities will be increased. However, the number of vulnerabilities decreased significantly in the year when new features were not released or less. The following is a comparison chart of 5 years. Except for the information summary of the number of database vulnerabilities in half a year in 2015, the rest are the number of database vulnerabilities in the whole year. As of June 2015, 44 database vulnerabilities have been identified, which is expected to reach 87 in the whole year.
Figure 1 number of database vulnerabilities in 2011-2015
Figure 2 causes of database vulnerability
The figure above shows the proportion of vulnerabilities in 2011-2015. The vulnerabilities mainly come from three aspects:
- New vulnerabilities brought by new features
- New vulnerabilities brought by compatibility of new and old versions
- Incomplete modification or new vulnerability caused by modified code
In the first half of 2015, 44 vulnerabilities were identified, including 7 for Oracle and 3 for MySQL, 29 for PostgreSQL and 5 for SYBASE. There are no identified vulnerabilities in the three databases not mentioned in 2015. Oracle, MySQL and Sybase have one high-risk vulnerability respectively.
Vulnerabilities are classified according to the impact on the confidentiality, integrity and availability of the database. It is divided into three categories: high risk vulnerability, medium risk vulnerability and low risk vulnerability. The high-risk loopholes must be dealt with in time. Although the low-risk and medium risk vulnerabilities are not serious, they can also reach the hazard level of high-risk vulnerabilities in some specific circumstances, so please do not despise the low-risk vulnerabilities by the majority of database security personnel. In 2015, there were 3 high-risk vulnerabilities and 12 low-risk vulnerabilities among 44 identified vulnerabilities.
Figure 3 risk level of database vulnerability
2、 Web database is still the main target of hacker attack
According to Verizon's 2015 global data disclosure investigation report, it is pointed out that by attacking the web, invading the web database is one of the important ways of data disclosure. Three of the top four ways of data leakage are caused by human factors, which can only be solved by improving security awareness and security management (human error, internal personnel / authority abuse, physical theft / loss). The database server will not install any untrusted third-party software or be "phished", so the probability of criminal software intrusion into the database server is small. Web attack is the first threat to database server, which is the most vulnerable to hacker attack.
Figure 4 verizon2015 report shows data leakage path
Figure 5 several ways to leak database
The web system mainly adopts the B / s technology architecture. The user accesses the web server through the browser, the web server accesses the web database server again, forming a legal access channel from the user to the database, thus indirectly exposing the database on the Internet. Even in some enterprises, the database is directly installed on the server that provides Web services to the outside world. The sensitive data access of the database can be realized by attacking the web server. A large number of Web databases use MySQL database. This year, MySQL has been confirmed to have 29 vulnerabilities, and it is expected to have 60 by the end of the year. It also appears in the latest stable version of MySQL 5.5-5.6. So please pay more attention to the security of MySQL.
Figure 6 number of vulnerabilities in different versions of MySQL database
Many vulnerabilities were found on MySQL 5.5 and MySQL 5.6 at the same time. The figure above shows the 29 vulnerability versions of MySQL that have been confirmed this year. MySQL 5.6 is affected by 28 vulnerabilities, and MySQL 5.5 is affected by 14 vulnerabilities, most of which overlap.
3、 Government websites and trading platforms become the first choice for hacker attacks
In the first half of 2015, the targets of Web database attacks were mainly focused on government websites and various trading platforms. Among them, the attacks on government websites are mainly organized, purposeful and long latency. According to the apt attack report released by fireeye, most attacks against the government are carried out by organized hacker groups with deeper political purposes. Compared with the attack on the trading platform, it seems to be more short and smooth. It basically belongs to the direct access to customer sensitive information after invading the web database. Transfer the sensitive information obtained into the black industry. Although the Trojan back door program will be left on the platform for hackers to invade next time, the platform security personnel will basically deal with the back door left by hackers and the exploited vulnerabilities within three months.
4、 Loopholes that need attention in the first half of 2015
The high-risk vulnerabilities are scattered in the database Oracle, MySQL and Sybase. Cve-2015-0457, cve-2015-0411 and cve-2015-1310 respectively. These three are high-risk vulnerabilities in the first half of 2015.
Cve-2015-0457 is a buffer overflow vulnerability in Oracle's Java VM. The vulnerability does not need to obtain the network access rights of the target database or the access rights of the operating system where the database is located, which can cause the target database to be completely controlled, all the sensitive information stored in it to be stolen, the database to be completely damaged, and the database service to be stopped. The vulnerability was fixed in the patch in April this year, affecting most databases under the three stable versions of 11.1, 11.2 and 12.1.
Cve-2015-0411 is a security vulnerability in MySQL's communication protocol encryption store. The vulnerability does not need to obtain the network access rights of the target database or the access rights of the operating system where the database is located, so it can log in to the MySQL database by cracking the MySQL communication protocol. If the root account is cracked, the target database may be completely controlled, all the sensitive information stored in it may be stolen, the database may be completely damaged, and the database service may be stopped. The vulnerability was fixed in the January patch. It affects most databases in 5.5 and 5.6 stable versions.
Cve-2015-1310 is an SQL injection vulnerability in SAP Sybase ASE database platform. Attackers can make special SQL queries with the help of SQL injection. They can read and modify sensitive information from the database, perform administrative operations in the database, destroy or make data unavailable. In some cases, an attacker can access system data or execute operating system commands. The vulnerability was fixed in the January patch.
5、 Database vulnerability distribution in the first half of 2015
Figure 7 Oracle database vulnerability distribution
Oracle 7 vulnerabilities are concentrated in Java VM, XdB and core RDBMS. Among these three components, core RDBMS is the core component of Oracle database. Under windows, it appears as an oracle.exe process, while under Linux, it is divided into several processes, which are responsible for different functions and ensure the normal operation of Oracle database. Java VM is a Java virtual machine that runs java code in Oracle. For example, Oracle graphical installer. The vulnerability of Java VM often comes from the fact that XdB is the component responsible for XML processing, and there are two external ports, HTTP and FTP. These two ports often bring buffer overflow vulnerability (a high-risk vulnerability without authentication) to the database.
Different from Oracle, MySQL has a lot of vulnerabilities due to the expansion of many new functions. 29 vulnerabilities are also scattered.
Figure 8 MySQL database vulnerability distribution
The 29 vulnerabilities of MySQL are scattered on 14 MySQL components and one unknown component. MySQL is a lightweight database that is easy to split and join. Many of the 14 components are non essential components. For example, there are 5 vulnerabilities in InnoDB. If your business does not need InnoDB, it is recommended that you prohibit the use of InnoDB.
PostgreSQL and Sybase are two kinds of databases which are relatively used in a small range and are generally not used for web database servers. This year, the identified vulnerabilities are mainly concentrated on some core components. Because it is rarely used as a web database server, it does not need special attention.
This year's database security focus should be on MySQL and the industry that uses MySQL as a web database.
6、 Database vulnerability utilization trend
With the development of database security, bypassing authentication is still the biggest threat to database security. Two of the three high-risk vulnerabilities in the first half of this year were for authentication bypass. They use buffer overflow and communication protocol cracking respectively. Although buffer overflow and communication protocol cracking are fewer and fewer, it will be a database nightmare. SQL injection is still the mainstream of vulnerabilities, and more than 80% of them belong to the scope of SQL injection. In SQL injection, this year, we mainly use SQL language vulnerability of database system. Most of them still rely on upgrading the permissions of low privileged users to get more database sensitive information. As a database administrator, please assign user permissions strictly to prevent excessive permissions assigned to users. Please disable or uninstall unnecessary services to prevent hackers from exploiting the vulnerability and causing intrusion to your database.
Concluding remarks:
Looking back on the research of database vulnerability in anhuajin and database attack and Defense Laboratory in recent years, we find that any database vulnerability will follow some specific rules. Although the number of vulnerabilities does not decline steadily every year, the probability of database vulnerabilities is getting lower and lower. The number of vulnerabilities that can't be steadily reduced is closely related to two points:
First, many databases expand a large number of interfaces and functions for the convenience of users, and new functions are always plagued by their own vulnerabilities and compatibility vulnerabilities in the initial version. Second, hackers are more and more capable of exploiting vulnerabilities. In fact, many of the previously discovered vulnerabilities cannot be exploited. Hackers gradually turn some of the previously unavailable vulnerabilities into exploitable ones. At the same time, hackers will pay special attention to some industries, and database vulnerability attacks are often concentrated in these industries.
Finally, and most importantly, most database vulnerability attackers are still profit-making in the first place. Database follows the business gradually from the background to the front, giving hackers more opportunities to invade the database. It is believed that these viewpoints are valuable for us to predict the future forms of database attack and defense, and to further improve the solutions of enterprises and organizations. This year, please pay special attention to the security protection of MySQL database.