IBM urges infosec professionals to patch DB2 for Windows, Cisco urges patch for Webex meeting
In a security bulletin released on Thursday, the company said the problem could allow a locally certified attacker to execute arbitrary code on the system.
The reason is the vulnerability hijacking DLL discovery sequence in Microsoft Windows clients.
The bulletin states, "By placing a specially crafted file in a compromised folder, an attacker can exploit this vulnerability."
IBM says the Common Vulnerability Scoring System (CVSS) base score on this issue is 7.8. All fix pack levels of IBM DB2 including V9.7 (which reached end of life in September 2017), V10.1, V10.5, V11.1, and V11.5 versions on Windows are affected.
Customers running any unsafe fixpack level of the affected version can download a special build containing an interim fix for this issue from IBM Fix Central.
These special builds are available for each affected release based on the most recent Fixpack level.
There are no workarounds or mitigations. Johannes Ullrich, dean of research at the SANS Technology Institute, does not consider the issue a big deal.
"This is a problem with the DLL search order for Windows clients," he said in an email.
"This type of problem is very common in Windows. It can load various libraries (DLLs) as soon as the Windows software starts. To find the correct DLL, the software will search many different locations.
If an attacker could place a malicious DLL in one of these locations, it would be executed instead of a valid code provided by IBM or others.
"To exploit this, an attacker needs to be able to place the file on the victim's system (and place it in the correct directory). This requires some access to the system.
Use of DB2 is only relatively small these days Is done by organizations in (but many of them are high-value, such as the financial and insurance industries).
But given how common these DLL search sequence vulnerabilities are, there is a possibility that an attacker would initiate such exploitation.
Will use more generic software. ”Meanwhile, Cisco has released patches to close vulnerabilities for its Vibex meetings server and client applications, which allows a hacker to listen to meetings without being detected. 'Ghost' participants can gain valuable corporate intelligence.
Weaknesses discovered by IBM researchers allow a person full access to audio, video, chat, and screen-sharing without looking at a participant list.
In fact they are a Webex could stay in the meeting and after maintaining the audio connection A.
A could still listen after being expelled from the session.
IBM reported that these vulnerabilities work by taking advantage of the handshake process used by Vibex to establish relationships between meeting participants.
Typically, a client system and a server attendees conduct a handshake process by exchanging messages join 'messages with information about client applications, meeting IDs, meeting room details, and more.
A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in the meeting without being seen by others.
No comments