On March 24 2017, I discovered and reported on a remote password change vulnerability in Hewlett-Packard Enterprise’s (HPE) Vertica Analytic Database. This week, HPE released Security Bulletin HPESBGN03734, which contains the fix for this vulnerability and identifies it as CVE-2017-5802.
Fueled by ever-growing volumes of Big Data found in many corporations and government agencies, HPE's Vertica Analytics Platform provides an SQL analytics solution built from the ground up to handle massive volumes of data and delivers blazingly fast Big Data analytics. At the core of the Vertica Analytics Platform is a column-oriented, relational database named Vertica Analytic Database.
This discovered vulnerability could lead to remote password change of the administrator account, and it has been rated as Critical by HPE. The vulnerability affects HPE Vertica Analytic Database 8.1.0 and prior versions.
In this blog, I want to share the details of this vulnerability.
To reproduce the vulnerability, you can follow the steps below.
Figure 1. Create a database
Figure 2. Set IP address for the database
Figure 3. Set the path of the database
Figure 4. Confirm the configuration
Figure 5. Database is created
Then confirm that port 5433 is listening by running the command "netstat -na" on the ESX virtual machine. If so, then Vertica Analytic Database was successfully started.
Figure 6. Can’t login to Vertica Analytic Database with the password 'dbadmin'
After the attack packet is sent, you can verify if vsql fails to login with the password 'test11', but successfully login with the new password 'dbadmin'. Refer to the screenshot in Figure 7.
Figure 7. Can login to Vertica Analytic Database with the password 'dbadmin'
Figure 8. Packet capture of the attack
This vulnerability exists because HPE Vertica Analytic Database provides a command for remote password change. The crafted command is ‘n’, which replaces the normal login command ‘p’. Via the crafted ‘n’ command, the password of HPE Vertica Analytic Database can be changed to an arbitrary 7-byte string. See the attack packet in Figure 9.
Figure 9. The attack packet
This vulnerability allows an attacker to change the password of the user 'dbadmin' to an arbitrary 7-byte string after the attack packet is sent, no matter whether the initial password was set when creating the database, or the password of the user 'dbadmin' was changed using the command "alter user dbadmin IDENTIFIED BY 'xyz';".
In summary, the vulnerability is caused by the dangerous remote password change command which exists in HPE Vertica Analytic Database. This introduces a high security risk because an attacker can gain privileged access by changing the password of ‘dbadmin’, which is the administrator account of the database. Once the attacker gains the credentials of ‘dbadmin’, he/she can do a lot of bad things on the vulnerable Vertica Analytics Platform such as
All users of vulnerable HPE Vertica Analytics Platform versions are encouraged to upgrade to the latest version of this software immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature HPE.Vertica.Analytics.Platform.Privileged.Access.
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.