AusCERT - ASB-2010.0124 - [Win][UNIX/Linux] MySQL 5.1.x: Multiple vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ASB-2010.0124 - [Win][UNIX/Linux] MySQL 5.1.x: Multiple vulnerabilities
Date: 13 May 2010
References: ESB-2010.0478 ESB-2010.0508 ESB-2010.0964 ESB-2010.1000 ESB-2010.1039.2

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2010.0124
        Multiple Security Vulnerabilities Identified in MySQL 5.1.x
                                13 May 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              MySQL 5.1.x
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account      
                      Delete Arbitrary Files          -- Existing Account      
                      Denial of Service               -- Remote/Unauthenticated
                      Read-only Data Access           -- Existing Account      
Resolution:           Mitigation
CVE Names:            CVE-2010-1850 CVE-2010-1849 CVE-2010-1848
Member content until: Saturday, June 12 2010

OVERVIEW

        MySQL have detailed a number of security vulnerabilities that are
        to be corrected in the upcoming version 5.1.47.


IMPACT

        The vendor has provided the following information regarding these
        vulnerabilities [1]:
        
          * Security Fix: The server failed to check the table name argument 
            of a COM_FIELD_LIST command packet for validity and compliance 
            to acceptable table name standards. This could be exploited to 
            bypass almost all forms of checks for privileges and table-level 
            grants by providing a specially crafted table name argument to 
            COM_FIELD_LIST.
        
            In MySQL 5.0 and above, this allowed an authenticated user with 
            SELECT privileges on one table to obtain the field definitions of 
            any table in all other databases and potentially of other MySQL 
            instances accessible from the server's file system.
        
            Additionally, for MySQL version 5.1 and above, an authenticated 
            user with DELETE or SELECT privileges on one table could delete 
            or read content from any other table in all databases on this 
            server, and potentially of other MySQL instances accessible from 
            the server's file system. (Bug#53371, CVE-2010-1848)
        
          * Security Fix: The server was susceptible to a buffer-overflow 
            attack due to a failure to perform bounds checking on the table 
            name argument of a COM_FIELD_LIST command packet. By sending long 
            data for the table name, a buffer is overflown, which could be 
            exploited by an authenticated user to inject malicious code. 
            (Bug#53237, CVE-2010-1850)
        
          * Security Fix: The server could be tricked into reading packets 
            indefinitely if it received a packet larger than the maximum 
            size of one packet. (Bug#50974, CVE-2010-1849)


MITIGATION

        These vulnerabilities will reportedly be corrected in MySQL 5.1.47.
        At the time of this publication, this version was not yet available.
        
        Until such a time as the new version is released, administrators 
        should ensure that queries to the MySQL database are properly 
        sanitised before they are executed and may wish to monitor their
        MySQL logs for signs of malicious activity.


REFERENCES

        [1] Changes in MySQL 5.1.47 (Not yet released)
            http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFL60h//iFOrG6YcBERAl2oAKCDcdHF2p1FnBINMCFKTa1T/yhbfgCfQ+d2
BBGOz//kDEWuWbe2gUjDzhk=
=6+OZ
-----END PGP SIGNATURE-----