A very nasty brute-force attack against some implementations of MYSQL has been announced. It is tracked as CVE-2012-2122.

Vulnerable systems are affected in that an attacker who knows a user name to connect with (and "root" almost always exists), can connect using any password by repeating connection attempts. 300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library.

The original notification post from Sergei Golubchik (MariaDB Security Coordinator) goes into more detail on the background to this attack.

The good news is that not all implementations of mysql/mariadb are affected - it depends on the specific environment in which the server code was compiled. For instance, Network Box NBRS-3 appliances have a mysql server component, and we have already confirmed that this component is not vulnerable to this attack.

Redscan urges all our customers running versions of MYSQL to confirm if they are vulnerable to such an attack, and to take action to apply preventative patches. For a unix-based server, with username 'root' as a mysql user, the following will give an indication whether you are vulnerable:

for A in `seq 1 1000`; do mysql -h 127.0.0.1 -u root --password=bad; done

Due to the nature of the attack, publicly reachable mysql servers (usually using port tcp/3306) are particularly vulnerable, but internally reachable mysql servers may also be an issue. IDP can help block attacks but such protection may not be 100%affective against all forms of attacks.

Back