HomeMySQL MySQL Vulnerabilities Threaten Databases
MySQL Vulnerabilities Threaten Databases
Over the weekend, a prominent developer and security professional released some uncomfortable information to the Full Disclosure mailing list for MySQL open source database project. He revealed information and exploits for a number of MySQL vulnerabilities that could let attackers gain access to a database and execute malicious code.
The developer, Nikolaos Rangos, is also known by the online handle Kingcope. At least some of the vulnerabilities he reported have been confirmed. Some of the vulnerabilities allow users with just a few privileges to create a MySQL administrator user, which would grant them far greater access. Indeed, five of the exploits that Rangos discovered would grant attackers shell access with maximum privileges.
While those exploits call for the hacker to possess a legitimate database connection to inject and execute code, one of the other exploits can enable attackers to discover valid usernames – a first step toward carrying out one of the other exploits. ZDNet reported that this particular vulnerability, designated CVE-2012-5615, “allows an attacker to confirm whether a certain username is in use by the SQL instance as it immediately responds with 'Access denied' if the account does not exist, but provides another response if the account exists, but the supplied credentials are incorrect.”
Sadly, according to Sergei Golubchik, Monty Program Vice President of Architecture and a former developer for the MySQL project before it was purchased by Sun/Oracle, some of the newly-reported vulnerabilities are far from new. One, CVE-2012-5611, duplicates an older bug, CVE-2012-5579, which has since been patched in the latest version of MariaDB. Another bug, CVE-2012-5613 (the one that lets users gain greater access), can in theory only be taken advantage of if the MySQL database is configured in a certain way – a way that is, in fact, strongly recommended against in at least two places in the MySQL reference manual. As ZDNet notes, “Nevertheless, servers that are misconfigured this way are vulnerable to attack.”
Perhaps the record for old issues not attended to belongs to the CVE-2012-5615 issue with discovering usernames mentioned above. Golubchik revealed that “This is hardly a 'zero-day' issue; it was known for, like, ten years.” He has filed the issue with Monty Program developers as a major bug.
Here is the list of issues with their identifying tracking numbers: CVE-2012-5611: MySQL (Linux) Stack based buffer overrun PoC Zeroday; CVE-2012-5612: MySQL (Linux) Heap Based Overrun PoC Zeroday; CVE-2012-5613: MySQL (Linux) Database Privilege Elevation Zeroday Exploit; CVE-2012-5614: MySQL Denial of Service Zeroday PoC; and CVE-2012-5615: MySQL Remote Preauth User Enumeration Zeroday.