Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0124 Multiple Security Vulnerabilities Identified in MySQL 5.1.x 13 May 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: MySQL 5.1.x Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Delete Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Read-only Data Access -- Existing Account Resolution: Mitigation CVE Names: CVE-2010-1850 CVE-2010-1849 CVE-2010-1848 Member content until: Saturday, June 12 2010 OVERVIEW MySQL have detailed a number of security vulnerabilities that are to be corrected in the upcoming version 5.1.47. IMPACT The vendor has provided the following information regarding these vulnerabilities [1]: * Security Fix: The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST. In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system. Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848) * Security Fix: The server was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code. (Bug#53237, CVE-2010-1850) * Security Fix: The server could be tricked into reading packets indefinitely if it received a packet larger than the maximum size of one packet. (Bug#50974, CVE-2010-1849) MITIGATION These vulnerabilities will reportedly be corrected in MySQL 5.1.47. At the time of this publication, this version was not yet available. Until such a time as the new version is released, administrators should ensure that queries to the MySQL database are properly sanitised before they are executed and may wish to monitor their MySQL logs for signs of malicious activity. REFERENCES [1] Changes in MySQL 5.1.47 (Not yet released) http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFL60h//iFOrG6YcBERAl2oAKCDcdHF2p1FnBINMCFKTa1T/yhbfgCfQ+d2 BBGOz//kDEWuWbe2gUjDzhk= =6+OZ -----END PGP SIGNATURE-----