Core Security Technologies Announces Vulnerability in IBM’s DB2 Database

Flaw Potentially Affects 60 million DB2 users from 400,000 companies

BOSTON, MA: September 18, 2003 – Core Security Technologies, providing the first-to-market penetration testing software product for assessing specific information security risks, today published an advisory about a vulnerability in IBM’s DB2 Database. This vulnerability allows an attacker to obtain complete control of a server DB2 database engine and therefore full access to all the information stored in the database.

DB2 is IBM’s relational database software, oriented toward the deployment and development of e-business, business intelligence, content management, enterprise resource planning and customer relationship management solutions. According to IBM’s web site there are more than 60 million DB2 users from 400,000 companies worldwide relying on IBM DB2 Information Management technology. DB2 can be deployed in AIX, HP-UX, Linux, Solaris and Windows environments.

“Since we discovered this we have been working closely with the vendor to address this vulnerability. We are pleased that we could assist them and their customers by making this announcement in conjunction with the release of their patch,” said Ivan Arce, CTO of Core Security Technologies.

IBM’s DB2 database ships with two vulnerable setuid binaries, db2licm and db2dart. These are programs that run with elevated privileges on behalf of regular unprivileged operating system users. Both binaries are vulnerable to a buffer overflow that allows a local attacker to execute arbitrary code on the vulnerable machine with privileges of the root user. Providing a long command line argument to the binaries triggers the vulnerability. So, in a default install, an attacker with access to the system with any of those programs will be able to escalate privileges to the root account.

For more information on the vulnerability please go to:
http://www1.corest.com/corelabs/advisories/index.php

For vendor recommended patch information:
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v7fphist.d2w/report

About Core Security Technologies
Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to help customers easily and efficiently assess their specific information security risks. The company’s penetration testing software product CORE IMPACT, is complimented by consulting services that include penetration testing, software security auditing, and related training. Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.