IBM DB2 Remote Command Server Privilege Escalation
Local Access Required,
Remote / Network Access
Loss of Integrity
Patch / RCS
DB2 contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The Remote Command Server, DB2RCMD.EXE, listens on a named port DB2REMOTECMD. When a connection is made to the pipe a new process is created, db2rcmdc.exe, which executes the command with the privileges of the db2admin administrator account. This flaw may lead to a loss of Confidentiality, Integrity or Availability.
Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released Fixpak 5 to address this vulnerability.
IBM DB2 Remote Command Server is prone to a vulnerability that may permit authenticated users to gain administrative access to the underlying database. This is because when the server accepts commands from legitimate users, it spawns another process with elevated privileges to execute the commands. In this manner, a user may execute arbitrary commands with the privileges of the db2admin account.
This issue is only known to exist on Windows platforms, though there have been conflicting details reported that seem to indicate that this issue may also affected DB2 releases for other platforms.
There is no exploit required.
IBM has addressed this issue in FixPax 5 for DB2 on Windows platforms.