Newly Disclosed MySQL Vulnerabilities Puts Databases at Risk For The Holidays
Over the weekend, a security researcher posted several vulnerabilities to the Full Disclosure mailing list, seven of them related to MySQL, the most popular open source database in the world. Given that MySQL is mission critical in many environments, the vulnerabilities are worth examining.
Of the flaws disclosed on Saturday, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the list itself, Oracle is aware of the zero-days, but has not yet commented on them directly.
Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed.
The first MySQL vulnerability, a stack-based buffer overflow, would allow an authenticated database user a chance to cause the MySQL daemon to crash, and then execute code with the same privileges as the user running MySQL. A heap-based overflow vulnerability, separate from the previous flaw, could be used to do the same thing – again the damage could be caused by an authenticated database user.
Saturday’s disclosure also included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the Mysql admin user. Moreover, there was a DoS vulnerability disclosed, and an account enumeration vulnerability.
“It’s really a shame that high risk applications (such as those that take input from the Internet) are still failing in these ways in 2012. There’s a lot of platform security available (and other hardening techniques), but folks chose not to use them. It’s disappointing the various security teams have not improved the situation (they are the folks who should know, and should take a defensive posture),” commented Full Disclosure subscriber Jeffrey Walton.
The disclosures on Saturday were published with working proof-of-concept scripts. SecurityWeek will report further if there are new developments.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
