On March 24 2017, I discovered and reported on a remote password change vulnerability in Hewlett-Packard Enterprise’s (HPE) Vertica Analytic Database. This week, HPE released Security Bulletin HPESBGN03734, which contains the fix for this vulnerability and identifies it as CVE-2017-5802.
Fueled by ever-growing volumes of Big Data found in many corporations and government agencies, HPE’s Vertica Analytics Platform provides an SQL analytics solution built from the ground up to handle massive volumes of data and delivers blazingly fast Big Data analytics. At the core of the Vertica Analytics Platform is a column-oriented, relational database named Vertica Analytic Database.
This discovered vulnerability could lead to remote password change of the administrator account, and it has been rated as Critical by HPE. The vulnerability affects HPE Vertica Analytic Database 8.1.0 and prior versions.
In this blog, I want to share the details of this vulnerability.
How to Reproduce
To reproduce the vulnerability, you can follow the steps below.
- Deploy Vertica Analytic Database (vertica-8.0.1-0_ova) in VMWare ESX, then run “/opt/vertica/bin/adminTools” and use the ‘configure’ menu to create a new database, such as ‘test11’, with the password ‘test11’. Refer to the screenshots in Figure 1-5 below.
Figure 1. Create a database
Figure 2. Set IP address for the database
Figure 3. Set the path of the database
Figure 4. Confirm the configuration
Figure 5. Database is created
Then confirm that port 5433 is listening by running the command “netstat -na” on the ESX virtual machine. If so, then Vertica Analytic Database was successfully started.
- On another machine, such as 32-bit Windows 7, run VerticaSetup-8.0.1-0.exe to install the vsql cli application. Before launching the attack, use following cli command to check if vsql can successfully login to the Vertica Analytic Database using the above password ‘test11’, but can’t with the password ‘dbadmin’. Refer to the screenshot in Figure 6.
Figure 6. Can’t login to Vertica Analytic Database with the password ‘dbadmin’
- On the 32-bit Windows 7, run the PoC in CLI, like “PoC_vertica_change_password.py 172.22.5.10 5433” to reproduce this vulnerability. Note: 172.22.5.10 should be replaced with the IP address of the ESX VM where HPE Vertica Analytic Database is enabled.
After the attack packet is sent, you can verify if vsql fails to login with the password ‘test11’, but successfully login with the new password ‘dbadmin’. Refer to the screenshot in Figure 7.
Figure 7. Can login to Vertica Analytic Database with the password ‘dbadmin’
- Now, the password of the HPE Vertica Analytic Database has been remotely changed to ‘dbadmin’. Figure 8 shows the packet capture of the attack.
Figure 8. Packet capture of the attack
This vulnerability exists because HPE Vertica Analytic Database provides a command for remote password change. The crafted command is ‘n’, which replaces the normal login command ‘p’. Via the crafted ‘n’ command, the password of HPE Vertica Analytic Database can be changed to an arbitrary 7-byte string. See the attack packet in Figure 9.
Figure 9. The attack packet
This vulnerability allows an attacker to change the password of the user ‘dbadmin’ to an arbitrary 7-byte string after the attack packet is sent, no matter whether the initial password was set when creating the database, or the password of the user ‘dbadmin’ was changed using the command “alter user dbadmin IDENTIFIED BY ‘xyz’;”.
In summary, the vulnerability is caused by the dangerous remote password change command which exists in HPE Vertica Analytic Database. This introduces a high security risk because an attacker can gain privileged access by changing the password of ‘dbadmin’, which is the administrator account of the database. Once the attacker gains the credentials of ‘dbadmin’, he/she can do a lot of bad things on the vulnerable Vertica Analytics Platform such as
- Stop a database
- Create or drop users
- Create or drop schemas
- Create or drop roles
- View all system tables
- View and terminate user sessions
All users of vulnerable HPE Vertica Analytics Platform versions are encouraged to upgrade to the latest version of this software immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature HPE.Vertica.Analytics.Platform.Privileged.Access.
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.