Recent MySQL vulnerabilities: Only an issue for poorly configured databases

The recently publicised MySQL vulnerabilities may wind up not being much of a risk, especially if administrators have properly configured the database.

At the end of November, a series of posts on ExploitDB revealed six vulnerabilities in the popular open source database, including buffer overflaws, privilege escalation, denial of service, and remote pre-authentication flaws. Most of the bugs, if exploited successfully, could lead to system crashes or cause denial of service conditions. However, these MySQL issues only affect installations that have more serious problems exposed through poor configuration, HD Moore, chief security officer at Rapid7 told ITProPortal.

An attacker will need a valid database username and password in order to take advantage of any of the buffer overflow vulnerabilities. If the attacker has actual database credentials, there are plenty of other things the attacker can do in order to take over the server rather than resorting to these attacks, Moore noted. While the flaws are legitimate and need to be fixed, the chances that someone could use them against a well protected and properly configured MySQL server are extremely low.

"The impact of these issues is relatively low, as any affected system would have to be misconfigured for this to represent additional risk," Moore said.

The flaws aren't so critical

All the vulnerabilities, including the Windows remote execution attack, require the sysadmin to have failed to do a proper job in setting up the MySQL server or the firewall protecting it, wrote user "lrosa" on the SANS Institute's Internet Storm Centre blog.

A person on the Full Disclosure mailing list argued the privilege escalation vulnerability, in which an attacker could escalate themselves to the same file permissions as the MySQL administrative user, wasn't really a bug, but just a configuration issue.

Administrators with strong account passwords, access control lists, and firewalls will have "little to worry about," Moore said.

One of the vulnerabilities, CVE-2012-5615, is a remote pre-authentication user enumeration flaw in the 4.x authentication protocol. A 10 year old issue that has already been documented in the MySQL developer's guide, this one may have "the most long-term impact," Moore said.

An attacker would be able to learn what usernames are valid, "but not much else," he added.

Next move: Oracle

The question is: Will Oracle move quickly to patch the flaws?

The advisories included a denial-of-service demonstration, a Windows remote root attack, two overrun attacks that work on Linux, and one privilege escalation attack on Linux. Even though proof-of-concept code was included with most, if not all, of the ExploitDB posts, no one really needs to create exploits to take advantage of these flaws, because there are plenty of other techniques that can accomplish the same thing without needing database credentials, Moore said.

Even so, the vulnerabilities still need to be fixed. A serious vulnerability identified in June allowed an attacker to bypass authentication entirely. MariaDB, a MySQL fork, had a patch out "almost instantly," but it took "much longer" for Oracle to release an update. Moore noted that Oracle has historically been slower to patch MySQL than MariaDB. Various Linux distributions and other providers took even longer to make the versions of MySQL available to end users.

Oracle is capable of moving quickly, as was proven in August when the database giant issued an out-of-band update for Java after a critical vulnerability in the Java Runtime Environment was disclosed.

"Oracle was already feeling the heat with a new cross-vendor zero-day vulnerability reported in Java and is now facing additional pressure with multiple vulnerabilities reported in their widely used MySQL product," Lumension's Paul Henry told ITProPortal.