rishard

Sybase 15 internal DOS attack bug after VM scan

Discussion created by rishard on Aug 10, 2012
Latest reply on Jan 17, 2017 by Robert Dell'Immagine

Hi

 

I am not sure if anyone has experience this problem before, we upgraded to a new version of Sybase 15 and after running a Vulnerability scan caused the DB to go into an infinite loop causing it to crash.

 

We escalated this to Qualys support. They ran a debug scan,the results concluded to be a bug in Sybase causing it to DOS itself. We escalated this to Sybase and they denying it to be a bug. We still waiting for feedback from Sybase to fix the problem.

 

Qualys offered to give Sybase a scanner at no cost to test in their labs. I find this very frustrating that a major vendor like Sybase can be so arrogant.

 

Results of logs

 

load averages: 4.20,  4.73,  4.46;                    up 107+20:28:18

10:08:54

273 processes: 247 sleeping, 13 zombie, 10 stopped, 3 oncpu CPU states: 80.3% idle, 16.4% user, 3.3% kernel,  0.0% iowait, 0.0%swap

Memory: 64G phys mem, 29G free mem, 64G swap, 64G freeswap

 

    PID USERNAMELWP PRI NICE  SIZE   RES STATE   TIME    CPU COMMAND

  20117 sybasexv153   0   0 4358M 4347M cpu     50.2H   203%

dataserver  <<<<<<

 

00:0016:00000:00000:2012/08/05 21:22:07.95 kernel  ksmask__rpacket:

Invalid tdslength value 30519, kpid: 16581063

00:0016:00000:00000:2012/08/05 21:22:07.95 kernel  originating node of previous invalid TDSpacket:  port : 47277

00:0002:00000:00154:2012/08/05 21:23:09.29 server  Error: 1621,

Severity: 18, State: 1

00:0002:00000:00154:2012/08/05 21:23:09.29 server  Type '16' not allowed before login.

00:0016:00000:00000:2012/08/05 21:23:10.91 kernel  ksmask__rpacket:

Invalid tdslength value 21844, kpid: 26673433

00:0016:00000:00000:2012/08/05 21:23:10.91 kernel  originating node of previous invalid TDSpacket:  port : 47160

00:0002:00000:00177:2012/08/05 21:23:11.03 server  Error: 1621,

Severity: 18, State: 1

00:0002:00000:00177:2012/08/05 21:23:11.03 server  Type '4' not allowed before login.

00:0016:00000:00000:2012/08/05 21:23:11.12 kernel  ksmask__rpacket:

Invalid tdslength value 2816, kpid: 27197749

00:0016:00000:00000:2012/08/05 21:23:11.12 kernel  originating node of previous invalid TDSpacket:  port : 47310

00:0016:00000:00000:2012/08/05 21:23:11.17kernel  ksmask__rpacket:

 

 

Ill keep you posted on any new developments.

 

Happy scanning !!

Outcomes