by RSS Anthony Giandomenico  |  Jul 23, 2015  |  Filed in: Security Research

Last week, FortiGuard Labs announced a remote denial of service vulnerability in the Teradata Gateway and Teradata Express. Teradata is a leading provider of big data solutions including business intelligence, data warehousing, CRM, and more. Many high-profile global enterprises use Teradata and the vulnerability could be used for corporate espionage or to to draw attention away from other malicious actions such as exfiltrating data and compromising other systems.

Because this vulnerability does not require an attacker to be authenticated, it is readily exploitable and could be used to crash Teradata databases.

The Teradata Gateway connects workstation clients to a Teradata Database server while Teradata Express is a self-contained Database that runs on VMware Player or VMware Server. In both pieces of software, an attacker could craft a malformed CONFIG REQUEST message, crashing the database and causing a denial of service. 

FortiGuard researchers were able to reproduce such a DoS with a Python script that sent a malformed request packet to the Teradata Gateway. The crash information is shown below:

Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[18328]: INFO: Teradata: 14081 #Event number 33-14081-00 (severity 0, category 11), occurred on Wed Jul  8 23:01:40 2015 at 001-01 (Vproc 10237, partition 32, task 18328) in system SLES10SP3 in Module tvsa_agent, version PDE:15.00.01.01,TDBMS:15.00.01.01,PDEGPL:15.00.01.01,RSG:15.00.00.00,TGTW:15.00.01.01,TDGSS:15.00.01.01
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[18328]:  PUT-generated perferred mapping file not found.
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[18328]: INFO: Teradata: 14081 #Event number 33-14081-00 (severity 0, category 11), occurred on Wed Jul  8 23:01:40 2015 at 001-01 (Vproc 10237, partition 32, task 18328) in system SLES10SP3 in Module tvsa_agent, version PDE:15.00.01.01,TDBMS:15.00.01.01,PDEGPL:15.00.01.01,RSG:15.00.00.00,TGTW:15.00.01.01,TDGSS:15.00.01.01
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[18328]:  PUT-generated perferred mapping file not found.
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[18328]: INFO: Teradata: 15080 #Reservation protection is not available on this node.
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[7745]: INFO: Teradata: 13896 #COD: PM CpuPerformance scaled to 100.0%
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[7745]: INFO: Teradata: 13896 #COD: PM DiskPerformance scaled to 100%
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[18343]: INFO: Teradata: 8001 #Event number 34-08001-00 (severity 0, category 10), occurred on Wed Jul  8 23:01:40 2015 at 001-01 (Vproc 8192, partition 10, task 18343) in system SLES10SP3 in Module gtwgateway, version PDE:15.00.01.01,TDBMS:15.00.01.01,PDEGPL:15.00.01.01,RSG:15.00.00.00,TGTW:15.00.01.01,TDGSS:15.00.01.01
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[18343]:  Starting Gateway 
Jul  8 23:01:40 TDExpress150001_Sles10 Teradata[7745]: INFO: Teradata: 13857 #Event number 33-13857-00 (severity 10, category 12) Application not started because the system-wide crash count has reached its limit.

The malformed packet is shown below:

This vulnerability is the result of improper validation of these CONFIG REQUEST messages.

The following video shows the vulnerability being exploited in Teradata Express.

Teradata patched this vulnerability in Versions 15.00.03.02-1 and 15.10.00.01-1  of the Teradata Gateway and Versions 15.00.02.08_Sles10 and 15.00.02.08_Sles11 of Teradata Express earlier this month. All users are encouraged to upgrade their installations to the latest versions.

Fortinet currently protects against this vulnerability with IPS signature Teradata.Gateway.Remote.DoS.

by RSS Anthony Giandomenico  |  Jul 23, 2015  |  Filed in: Security Research