Vulnerabilities > CVE-2012-5627 - Insufficiently Protected Credentials vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Session Sidejacking Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
- Lifting credential(s)/key material embedded in client distributions (thick or thin) An attacker examines a target application's code or configuration files to find credential or key material that has been embedded within the application or its files. Many services require authentication with their users for the various purposes including billing, access control or attribution. Some client applications store the user's authentication credentials or keys to accelerate the login process. Some clients may have built-in keys or credentials (in which case the server is authenticating with the client, rather than the user). If the attacker is able to locate where this information is stored, they may be able to retrieve these credentials. The attacker could then use these stolen credentials to impersonate the user or client, respectively, in interactions with the service or use stolen keys to eavesdrop on nominally secure communications between the client and server.
- Password Recovery Exploitation An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
Exploit-Db
| description | Oracle MySQL and MariaDB Insecure Salt Generation Security Bypass Weakness. CVE-2012-5627. Remote exploit for linux platform |
| id | EDB-ID:38109 |
| last seen | 2016-02-04 |
| modified | 2012-12-06 |
| published | 2012-12-06 |
| reporter | kingcope |
| source | https://www.exploit-db.com/download/38109/ |
| title | Oracle MySQL and MariaDB Insecure Salt Generation Security Bypass Weakness |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201308-06.NASL description The remote host is affected by the vulnerability described in GLSA-201308-06 (MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the application or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 69508 published 2013-08-30 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69508 title GLSA-201308-06 : MySQL: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1807-1.NASL description Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.1.69 in Ubuntu 10.04 LTS and Ubuntu 11.10. Ubuntu 12.04 LTS and Ubuntu 12.10 have been updated to MySQL 5.5.31. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-69.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-31.html http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.h tml. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 66215 published 2013-04-25 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66215 title Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : mysql-5.1, mysql-5.5, mysql-dfsg-5.1 vulnerabilities (USN-1807-1) NASL family Databases NASL id MYSQL_COM_CHANGE_USER_BRUTEFORCE_WEAKNESS.NASL description The installed version of MySQL may be affected by a security bypass vulnerability because the salt used during password validation does not change when switching users with the last seen 2020-03-18 modified 2013-11-27 plugin id 71116 published 2013-11-27 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71116 title MySQL Server COM_CHANGE_USER Command Security Bypass NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-102.NASL description Updated mariadb packages includes fixes for the following security vulnerabilities : Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote attackers to affect integrity and availability, related to MySQL Client (CVE-2012-3147). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Protocol (CVE-2012-3158). Multiple SQL injection vulnerabilities in the replication code in Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62, 5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25, allow remote authenticated users to execute arbitrary SQL commands via vectors related to the binary log. NOTE: as of 20130116, Oracle has not commented on claims from a downstream vendor that the fix in MySQL 5.5.29 is incomplete (CVE-2012-4414). Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53 and other versions through 5.1.66, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command (CVE-2012-5611). A buffer overflow that can cause a server crash or arbitrary code execution (a variant of CVE-2012-5611) Heap-based buffer overflow in Oracle MySQL 5.5.19 and other versions through 5.5.28, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code, as demonstrated using certain variations of the (1) USE, (2) SHOW TABLES, (3) DESCRIBE, (4) SHOW FIELDS FROM, (5) SHOW COLUMNS FROM, (6) SHOW INDEX FROM, (7) CREATE TABLE, (8) DROP TABLE, (9) ALTER TABLE, (10) DELETE FROM, (11) UPDATE, and (12) SET PASSWORD commands (CVE-2012-5612). MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames (CVE-2012-5615). Be advised that for CVE-2012-5615 to be completely closed, it last seen 2020-06-01 modified 2020-06-02 plugin id 66114 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66114 title Mandriva Linux Security Advisory : mariadb (MDVSA-2013:102) NASL family Databases NASL id MARIADB_5_5_29.NASL description The version of MariaDB 5.5 running on the remote host is prior to 5.5.29. It is, therefore, potentially affected by vulnerabilities in the following components : - Information Schema - InnoDB - MyISAM - Server - Server Locking - Server Optimizer - Server Parser - Server Partition - Server Privileges - Server Replication - Stored Procedure last seen 2020-06-01 modified 2020-06-02 plugin id 64935 published 2013-02-28 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64935 title MariaDB 5.5 < 5.5.29 Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_8C773D7F6CBB11E2B242C8600054B392.NASL description ORACLE reports : Multiple SQL injection vulnerabilities in the replication code Stack-based buffer overflow Heap-based buffer overflow last seen 2020-06-01 modified 2020-06-02 plugin id 64421 published 2013-02-04 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64421 title FreeBSD : mysql/mariadb/percona server -- multiple vulnerabilities (8c773d7f-6cbb-11e2-b242-c8600054b392) NASL family Databases NASL id MARIADB_5_1_67.NASL description The version of MariaDB 5.1 running on the remote host is prior to 5.1.67. It is, therefore, potentially affected by vulnerabilities in the following components : - Information Schema - InnoDB - Server - Server Locking - Server Optimizer - Server Privileges - Server Replication last seen 2020-06-01 modified 2020-06-02 plugin id 64932 published 2013-02-28 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64932 title MariaDB 5.1 < 5.1.67 Multiple Vulnerabilities NASL family Databases NASL id MARIADB_5_3_12.NASL description The version of MariaDB 5.3 running on the remote host is prior to 5.3.12. It is, therefore, potentially affected by vulnerabilities in the following components : - Information Schema - InnoDB - Server - Server Locking - Server Optimizer - Server Privileges - Server Replication last seen 2020-06-01 modified 2020-06-02 plugin id 64934 published 2013-02-28 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64934 title MariaDB 5.3 < 5.3.12 Multiple Vulnerabilities NASL family Databases NASL id MARIADB_5_2_14.NASL description The version of MariaDB 5.2 running on the remote host is prior to 5.2.14. It is, therefore, potentially affected by vulnerabilities in the following components : - Information Schema - InnoDB - Server - Server Locking - Server Optimizer - Server Privileges - Server Replication last seen 2020-06-01 modified 2020-06-02 plugin id 64933 published 2013-02-28 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64933 title MariaDB 5.2 < 5.2.14 Multiple Vulnerabilities
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID:56837 CVE ID:CVE-2012-5627 MySQL是一款开源关系型数据库管理系统。MariaDB是一个采用Maria存储引擎的MySQL分支版本。 MySQL处理密码salt值存在漏洞,当用户登录MySQL时,会生成Salt值用于防止密码猜测攻击。此salt值在会话开始时创建并用于整个会话,如果通过验证的攻击者使用MySQL "change_user"命令尝试以其他用户登录,由于Salt已知,可导致密码猜测更有效率。 0 MySQL 5.5.19及其他版本 MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66 MariaDB 5.5.29, 5.3.12, 5.2.14, 5.1.67已经修复此漏洞,建议用户下载使用: https://mariadb.atlassian.net/browse/MDEV/fixforversion/12102 https://mariadb.atlassian.net/browse/MDEV/fixforversion/12000 https://mariadb.atlassian.net/browse/MDEV/fixforversion/12101 https://mariadb.atlassian.net/browse/MDEV/fixforversion/12100 |
| id | SSV:60501 |
| last seen | 2017-11-19 |
| modified | 2012-12-11 |
| published | 2012-12-11 |
| reporter | Root |
| title | Oracle MySQL/MariaDB 不安全Salt生成安全绕过漏洞(CVE-2012-5627) |
References
- http://seclists.org/fulldisclosure/2012/Dec/58
- http://seclists.org/oss-sec/2012/q4/424
- https://bugzilla.redhat.com/show_bug.cgi?id=883719
- http://seclists.org/fulldisclosure/2012/Dec/83
- https://mariadb.atlassian.net/browse/MDEV-3915
- http://security.gentoo.org/glsa/glsa-201308-06.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:102
- http://secunia.com/advisories/53372