Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0084 MySQL Arbitrary Password Vulnerability 12 June 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: MySQL Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2122 Member content until: Thursday, July 12 2012 OVERVIEW An incorrect type conversion in the password handling routines in some builds of MySQL cause unsafe password authentication and permit any existing user (including root) to authenticate and gain database access with an incorrect password. IMPACT After a sufficient number of incorrect attempts with an invalid password, a remote attacker may successfully connect to a mysql database as any existing user, including root. With remote access to the MySQL service, a brute force attack against this vulnerability is feasible. MITIGATION Vulnerability depends on how and where MySQL was built. Official MySQL binaries are not known to be affected, but members are advised to monitor for bulletins from their respective vendors. Where possible, restricting direct access to public-facing MySQL installations may mitigate the impact of this vulnerability. This bug was given the ID 64884 by MySQL and it was corrected in MySQL 5.1.63 [1] and 5.5.24 [2]. REFERENCES [1] Changes in MySQL 5.1.63 (07 May 2012) http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html [2] Changes in MySQL 5.5.24 (07 May 2012) http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html [3] Bug #64884 - logins with incorrect password are allowed http://bugs.mysql.com/bug.php?id=64884 [4] Security vulnerability in MySQL/MariaDB sql/password.c http://seclists.org/oss-sec/2012/q2/493 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT9aveu4yVqjM2NGpAQKIHA/9EhTWRiTccd5sd0iXAJD/3ahAXVMTxI+a nXZaBEjhIB3kD7lRp+vd7j9Sptg7JNZE3QVhE7TItewOe1wHp4H3YflgKlIkHBzC kUy0AE8cYZjEQPZHtkf6a81Va8oLEZwpkhskF02rPQ8UUW+aXdrt7Gi+45vJZ7j7 kgdTxHEbt5o52t8YREWbBmyrOkw2XN8rEvCGbsa3hXZgsy0QmcgzRiz81bgkDlFy BzjTVsQKov+XkZIrx4Am3EJYHyaJXWZXe+C8NWJJcSopCmVY9VWqvMxUsMD8MEYR mu+yr+KBwuASSM9ztQY+ICBPsk9+M9oYyQ9HsovSNIsZP3ul+qHn0kFd3yATRaV7 XhxORSJ1RywHntqf+VzRkby2+Fwqmmb3Coq/Om4M/bRXe2KlbYWPo9Qo3aZlI0WS K/3LFOSKTo040dydZwqKUoAV2Nsfyrea2vWim8bTqMrcZaUGiTbUOvnHghEUZhLK xhSm+iR9s5ime3x9YkNdcxzA0GaeyM3KMZLpWiBQKzaa/5oZa1SBK8sAA4u9XELi GbUeXj542MSF7DsG4GRo+K7L4VOuztiHkyjCgksRNmNtCZgepCS1Xkkh9JGVyrtA WGtV9qVtO1DOZO+/NaZAzwUOjcc1B68K1EV8NFS0qOiYzTZLtc/dHOB0ABqNZo3g mUU3NicuJTQ= =J4KL -----END PGP SIGNATURE-----