Security researchers have discovered an arbitrary code injection vulnerability in the Adobe systems main lead database management system.
SC Media, the leading cybersecurity source in the UK and Europe, approached Senior Cybersecurity Consultant, Elliott Thompson, for his thoughts on their article, “Vulnerability in Adobe main lead database could allow hackers to inject own malicious script codes.”
Here are his comments in full:
How serious is the flaw? What could hackers do with this type of attack?
There appears to be disagreement about the exact nature of the vulnerability. If Adobe is correct, the vulnerability could be used to potentially access browser session information of a limited number of users visiting a specific page. However, if the vulnerability reporter is correct, the flaw would be extremely critical and could be used to extract personal data from a range of connected internal databases at Adobe.
How can organizations deal with this? What are the mitigations?
If an organization passes data between a variety of data stores, each transaction where data is sent from one system to another should be subject to the same filtering and encoding that would be expected when accepting data from a user. Especially where dangerous functions are being used organizations should consider fuzzing their own applications to identify unexpected behavior when dealing with data sent to and from disparate systems. If there is a risk that a system has already been compromised in a similar way, organizations can also search through their data store to identify unexpected characters that could indicate attempts to exploit similar chains of vulnerabilities.
How can databases be protected against similar attacks?
Databases often provide their own safe API functions for adding and removing data which automatically applies the appropriate protections, for example, “pg_escape_string” in PHP for PostgreSQL. But the important part of the mitigations is to use those safe APIs in absolutely all locations where the data is being exchanged.
Read the full SC article here.
Learn more about our Cybersecurity Services here.
About SureCloud
SureCloud provides Governance, Risk & Compliance (GRC) applications and Cybersecurity solutions that give our customers certainty – of risk management/compliance and cybersecurity. Established in 2006, SureCloud is headquartered in the United Kingdom and has offices in the United States. SureCloud has more than 400 customers throughout the UK and US from the Retail, Financial Services, Government and other sectors.
About Elliott Thompson
Elliott Thompson, one of SureCloud’s senior cybersecurity consultants, delivers on a variety of large and unusual pentesting engagements. Elliott engages targets throughout Europe, Asia, and the Middle East through infrastructure testing and reverse engineering to physical, social engineering and red teaming. Elliott has also worked with the BBC, Which?, and Test Aankoop to provide his insight on various cybersecurity news pieces.