I’ve recently blogged about a shared memory vulnerability in Cisco WebEx Meetings Client on Windows where any user can read memory dedicated to trace data. It turns out that this is a common problem. IBM Db2 is affected by the exact same type of problem. Developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. This allows any local users read and write access to that memory area. In turn, this allows accessing critically sensitive data as well as the ability to change how the trace subsystem functions, resulting in a denial of service condition in the database. Needless to say both shouldn’t be possible for regular users.
In Windows, launch Process Explorer or other any similar tool to check open handles of Db2 main process. As you can see below, there are absolutely no permissions assigned to the shared memory so that anyone can read from and write to it.
I created a simple console application that tries to open given memory section by name and dump first few bytes:
We then enable Db2 tracing:
And now we can see what’s been written to those memory sections:
In the end this means that an unprivileged local user can abuse this to cause a denial of service condition simply by writing incorrect data over that memory section.
IBM released a special build patch to address this and other security issues on June 30. Please update ASAP.
Trustwave Advisory TWSL2020-005: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=27559