Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciack025.htm

MySQL Password Authentication Vulnerability



MySQL Password Authentication Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

K-025: MySQL Password Authentication Vulnerability

March 1, 2000 19:00 GMT
PROBLEM:       A vulnerability has been identified in the MySQL database
               server.
PLATFORM:      MySQL database servers (versions prior to 3.22.32)
DAMAGE:        Given a valid username, the normal password authentication
               mechanism can be bypassed.
SOLUTION:      Upgrade, install newer version, or apply workaround that is
               listed below.

VULNERABILITY Risk is medium. The attacker would have to have to know the ASSESSMENT: username on the database.
[ Start FreeBSD Advisory ] ============================================================================= FreeBSD-SA-00:05 Security Advisory FreeBSD, Inc. Topic: MySQL allows bypassing of password authentication Category: ports Module: mysql322-server Announced: 2000-02-28 Affects: Ports collection before the correction date. Corrected: 2000-02-15 FreeBSD only: NO I. Background MySQL is a popular SQL database client/server distributed as part of the FreeBSD ports collection. II. Problem Description The MySQL database server (versions prior to 3.22.32) has a flaw in the password authentication mechanism which allows anyone who can connect to the server to access databases without requiring a password, given a valid username on the database - in other words, the normal password authentication mechanism can be completely bypassed. MySQL is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact The successful attacker will have all of the access rights of that database user and may be able to read, add or modify records. If you have not chosen to install the mysql322-server port/package, then your system is not vulnerable. IV. Workaround Use appropriate access-control lists to limit which hosts can initiate connections to MySQL databases - see: http://www.mysql.com/Manual_chapter/manual_Privilege_system.html for more information. If unrestricted remote access to the database is not required, consider using ipfw(8) or ipf(8), or your network perimeter firewall, to prevent remote access to the database from untrusted machines (MySQL uses TCP port 3306 for network communication). Note that users who have access to machines which are allowed to initiate database connections (e.g. local users) can still exploit the security hole. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mysql322-server port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3- stable/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4- current/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4- current/databases/mysql-server-3.22.32.tgz 3) download a new port skeleton for the mysql322-server port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz [ End FreeBSD Advisory ]

CIAC wishes to acknowledge the contributions of FreeBSD, Inc. for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH