A new stack-based buffer overflow vulnerability was released on Full Disclosure yesterday for MySQL. Depending of the user privileges, the flaw can cause MySQL to enumerate users, crash or possibly execute arbitrary code with the privileges of the user running MySQL. The following CVEs have been assigned to track this MySQL vulnerability:
CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu |
Guy 486 Posts ISC Handler Dec 2nd 2012 |
Thread locked Subscribe |
Dec 2nd 2012 8 years ago |
I tried the Linux vulnerabilities against my own server this morning (CET time zone).
All of them (including the Windows vulns) require that the sysadmin did not the proper job to setup MySQL server and/or the firewall protecting it. The vulns are there and must be fixed, but the chances that someone could use them against a well protected and properly configured MySQL server are extremely low. |
lrosa 5 Posts |
Quote |
Dec 2nd 2012 8 years ago |
- http://blog.trendmicro.com/trendlabs-security-intelligence/multiple-zero-day-poc-exploits-threaten-oracle-mysql-server/
Dec 6, 2012 - "... MySQL Database is famous for its high performance, high reliability and ease of use. It runs on both Windows and many non-Windows platforms like UNIX, Mac OS, Solaris, IBM AIX, etc. It has been the fastest growing application and the choice of big companies such as Facebook, Google, and Adobe among others. Given its popularity, cybercriminals and other attackers are definitely eyeing this platform..." . |
Jack 160 Posts |
Quote |
Dec 6th 2012 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!