Newly Disclosed MySQL Vulnerabilities Puts Databases at Risk For The Holidays
Over the weekend, a security researcher posted several vulnerabilities to the Full Disclosure mailing list, seven of them related to MySQL, the most popular open source database in the world. Given that MySQL is mission critical in many environments, the vulnerabilities are worth examining.
Of the flaws disclosed on Saturday, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the list itself, Oracle is aware of the zero-days, but has not yet commented on them directly.
Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed.
The first MySQL vulnerability, a stack-based buffer overflow, would allow an authenticated database user a chance to cause the MySQL daemon to crash, and then execute code with the same privileges as the user running MySQL. A heap-based overflow vulnerability, separate from the previous flaw, could be used to do the same thing – again the damage could be caused by an authenticated database user.
Saturday’s disclosure also included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the Mysql admin user. Moreover, there was a DoS vulnerability disclosed, and an account enumeration vulnerability.
“It’s really a shame that high risk applications (such as those that take input from the Internet) are still failing in these ways in 2012. There’s a lot of platform security available (and other hardening techniques), but folks chose not to use them. It’s disappointing the various security teams have not improved the situation (they are the folks who should know, and should take a defensive posture),” commented Full Disclosure subscriber Jeffrey Walton.
The disclosures on Saturday were published with working proof-of-concept scripts. SecurityWeek will report further if there are new developments.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
