'Tragically comedic' flaw gives anyone root access to 900,000 Internet servers

No password? No problem for versions of MySQL and MariaDB that can't tell right passwords from wrong

By  

About 1.7 million MySQL and MariaDB servers that are exposed on the Internet and show the vulnerability. Of those, more than half (879,046)do not enforce host-based access controls that would compensate for the big security hole in their databases, Moore wrote.

Who is vulnerable? What can they do about it?

The vulnerability, identified as CVE-2012-2122 and was addressed in MySQL 5.1.63 and 5.5.25, which were released in May. The flaw was not widely identified, however, there is little information available and there was little publicity about the update, according to a story from the IDG News Service.

There has been no official patch because Oracle no longer supports version 4.0 of MySQL.

There is already at least one exploit available to take advantage of the flaw – a threaded brute-force module written by Jonathan Cran CTO of Pwnie Express, who also contributes to the open-source penetration-testing/hacking framework Metasploit.

There is also a sample application – contributed by Joshua Drake, a security researcher with Accuvant Labs, designed to identify machines that may be vulnerable.

The fix is pretty simple, too.

"The easiest thing to do is to modify the my.cnf file in order to restrict access to the local system," Moore wrote. "Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the 'bind-address' parameter to '127.0.0.1'. Restart the MySQL service to apply this setting."

Here is Rapid7's list of vulnerable editions of MySQL and MariaDB on various Linux distributions:

Confirmed as vulnerable:

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question