A number of vulnerabilities have been discovered in the popular database software MySQL that could allow attackers to crash the service and deny access to users.
Although researchers initially believed that there were five vulnerabilities, one was recognised as a duplicate of an existing flaw and another a misconfiguration.
The following Common Vulnerabilities and Exposures (CVE) identifiers have been assigned to the issues to track them:
- CVE-2012-5611 — MySQL (Linux) Stack based buffer overrun PoC Zeroday
- CVE-2012-5612 — MySQL (Linux) Heap Based Overrun PoC Zeroday
- CVE-2012-5613 — MySQL (Linux) Database Privilege Elevation Zeroday Exploit
- CVE-2012-5614 — MySQL Denial of Service Zeroday PoC
- CVE-2012-5615 — MySQL Remote Preauth User Enumeration Zeroday
The open source MySQL project was previously developed by a Swedish company by the same name, but was later purchased by Sun Microsystems in 2008, and further changed hands when Oracle subsequently bought Sun in 2010. Oracle is yet to respond to the vulnerabilities, but a replacement for MySQL, developed by Monty Program — MariaDB — which is meant to allow administrators to effectively replace the database software as a compatible alternative, have quickly moved to respond.
Monty Program Vice President of Architecture Sergei Golubchik (who also worked at MySQL prior to its purchase by Sun/Oracle) reported on the Open Source Security Mailing List that the first bug, CVE-2012-5611, is a duplicate of an older bug, CVE-2012-5579, which could allow users to crash the SQL instance or execute arbitrary code. It has been patched in the latest version of MariaDB.
CVE-2012-5615 allows an attacker to confirm whether a certain username is in use by the SQL instance as it immediately responds with "Access denied" if the account does not exist, but provides another response if the account exists, but the supplied credentials are incorrect.
"This is hardly a 'zero-day' issue; it was known for, like, ten years. But I'll see what we can do here," Golubchik wrote. He has since filed the issue with Monty Program developers as a major bug.
As for CVE-2012-5613, it was initially brought to the attention of the Full Disclosure forum as a means to increase the privileges of certain non-administrative users to one with administrative rights. This requires that the non-administrative user be granted the "FILE" privilege to write anywhere in the file system with the same rights as the SQL instance.
However, as Golubchik noted, the MySQL reference manual highlights, under 6.1.3. Making MySQL Secure Against Hackers and 6.2.1. Privileges Provided by MySQL, that this is a known issue and the database should never be configured this way.
Nevertheless, servers that are misconfigured this way are vulnerable to attack.
Security researcher Eric Romang has highlighted the issue on his blog, and also posted a video demonstrating how misconfigured servers are vulnerable.