Newly discovered vulnerabilities in MySQL database software threaten software crashes, loss of service, privilege escalation and authentication bypass, but it appears at least some of the flaws are dependent upon server and/or firewall configuration errors.
According to the list of Common Vulnerabilities and Exposures (CVE) identifiers, the issues are based around heap-based buffer overflows and an attack vector involving remote users. Some of the vulnerabilities are based on previously known flaws left unattended or inadequately patched.
Similar issues were also disclosed involving SSH.com Communications' Tectia SSH Server, which was also determined to be vulnerable to authentication bypass.
"Theoretically, the MySQL zero-day should be less of a concern than the SSH server issue because a good administrator is not going to have MySQL listening to the open Internet," said Chester Wisniewski, senior security advisor at Sophos. "However, the reality is that there are probably tons of MySQL open to the Internet that should not be. So, a lot more systems would be at risk from the MySQL vulnerabilities than the SSH ones. On the other hand, the issue with that particular version of SSH enables attackers to change the administrator password without actually having logged into the system. All you need is the name of the administrator. This is obviously a very major glitch. The whole point of running SSH is to secure remote access, so the ports are open to enable that level of secure access."
Meanwhile, the MySQL issue partly involves authentication that is very susceptible to brute-force attack against password hashes.
A module for exploiting this vulnerability was added to the popular Metasploit penetration testing kits over the weekend. The module is also known to access the server's master user table, and thereby can access all password hashes.
Patches to close the vulnerability are not yet available, and it is believed that an exploit module has already been added to the Metasploit pen testing tool, which will put the attack within reach of a wider variety of hackers.
"I think right now, if you're a MySQL user, you need to keep your eyes peeled and make sure that it's not exposed to environments where your server might be accessed by someone unauthorized," said Wisniewski. "It will probably get fixed fairly quickly, but meanwhile, there are a lot of servers at risk. Make sure your firewalls are locked down as tight as possible. If you lock things down, you will probably weather the storm just fine.
"It's really unfortunate that these things are not privately disclosed so that the companies could respond ahead of time before it became public," added Wisniewski.
PUBLISHED DEC. 3, 2012