Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0084
MySQL Arbitrary Password Vulnerability
12 June 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: MySQL
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2122
Member content until: Thursday, July 12 2012
OVERVIEW
An incorrect type conversion in the password handling routines in some
builds of MySQL cause unsafe password authentication and permit any
existing user (including root) to authenticate and gain database access
with an incorrect password.
IMPACT
After a sufficient number of incorrect attempts with an invalid password,
a remote attacker may successfully connect to a mysql database as any
existing user, including root. With remote access to the MySQL service,
a brute force attack against this vulnerability is feasible.
MITIGATION
Vulnerability depends on how and where MySQL was built. Official MySQL
binaries are not known to be affected, but members are advised to monitor
for bulletins from their respective vendors. Where possible, restricting
direct access to public-facing MySQL installations may mitigate the
impact of this vulnerability.
This bug was given the ID 64884 by MySQL and it was corrected in MySQL
5.1.63 [1] and 5.5.24 [2].
REFERENCES
[1] Changes in MySQL 5.1.63 (07 May 2012)
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
[2] Changes in MySQL 5.5.24 (07 May 2012)
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
[3] Bug #64884 - logins with incorrect password are allowed
http://bugs.mysql.com/bug.php?id=64884
[4] Security vulnerability in MySQL/MariaDB sql/password.c
http://seclists.org/oss-sec/2012/q2/493
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT9aveu4yVqjM2NGpAQKIHA/9EhTWRiTccd5sd0iXAJD/3ahAXVMTxI+a
nXZaBEjhIB3kD7lRp+vd7j9Sptg7JNZE3QVhE7TItewOe1wHp4H3YflgKlIkHBzC
kUy0AE8cYZjEQPZHtkf6a81Va8oLEZwpkhskF02rPQ8UUW+aXdrt7Gi+45vJZ7j7
kgdTxHEbt5o52t8YREWbBmyrOkw2XN8rEvCGbsa3hXZgsy0QmcgzRiz81bgkDlFy
BzjTVsQKov+XkZIrx4Am3EJYHyaJXWZXe+C8NWJJcSopCmVY9VWqvMxUsMD8MEYR
mu+yr+KBwuASSM9ztQY+ICBPsk9+M9oYyQ9HsovSNIsZP3ul+qHn0kFd3yATRaV7
XhxORSJ1RywHntqf+VzRkby2+Fwqmmb3Coq/Om4M/bRXe2KlbYWPo9Qo3aZlI0WS
K/3LFOSKTo040dydZwqKUoAV2Nsfyrea2vWim8bTqMrcZaUGiTbUOvnHghEUZhLK
xhSm+iR9s5ime3x9YkNdcxzA0GaeyM3KMZLpWiBQKzaa/5oZa1SBK8sAA4u9XELi
GbUeXj542MSF7DsG4GRo+K7L4VOuztiHkyjCgksRNmNtCZgepCS1Xkkh9JGVyrtA
WGtV9qVtO1DOZO+/NaZAzwUOjcc1B68K1EV8NFS0qOiYzTZLtc/dHOB0ABqNZo3g
mUU3NicuJTQ=
=J4KL
-----END PGP SIGNATURE-----