Newly Disclosed MySQL Vulnerabilities Puts Databases at Risk For The Holidays

Over the weekend, a security researcher posted several vulnerabilities to the Full Disclosure mailing list, seven of them related to MySQL, the most popular open source database in the world. Given that MySQL is mission critical in many environments, the vulnerabilities are worth examining.



Of the flaws disclosed on Saturday, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the list itself, Oracle is aware of the zero-days, but has not yet commented on them directly.

Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed.

The first MySQL vulnerability, a stack-based buffer overflow, would allow an authenticated database user a chance to cause the MySQL daemon to crash, and then execute code with the same privileges as the user running MySQL. A heap-based overflow vulnerability, separate from the previous flaw, could be used to do the same thing – again the damage could be caused by an authenticated database user.

Saturday’s disclosure also included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the Mysql admin user. Moreover, there was a DoS vulnerability disclosed, and an account enumeration vulnerability.

“It’s really a shame that high risk applications (such as those that take input from the Internet) are still failing in these ways in 2012. There's a lot of platform security available (and other hardening techniques), but folks chose not to use them. It's disappointing the various security teams have not improved the situation (they are the folks who should know, and should take a defensive posture),” commented Full Disclosure subscriber Jeffrey Walton.

The disclosures on Saturday were published with working proof-of-concept scripts. SecurityWeek will report further if there are new developments.