MySQL Authentication Error Message User Enumeration Vulnerability Network Vulnerability

Summary

The host is running MySQL and is prone to user enumeration vulnerability.

Impact

Successful exploitation allows attackers to obtain valid usernames, which may aid them in brute-force password cracking or other attacks. Impact Level: Application

Solution

For Maria DB upgrade to 5.5.29, 5.3.12, 5.2.14 or later. For updates refer to https://mariadb.org/ For MySQL apply the updates from vendor, http://www.mysql.com/

Insight

Mysql server will respond with a different message than Access Denied, when attacker authenticates using an incorrect password with the old authentication mechanism mysql 4.x and below to a mysql 5.x server.

Affected

MySQL version 5.5.19 and possibly other versions MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66 and possibly other versions

References

http://osvdb.org/88067
http://secunia.com/advisories/51427
http://www.exploit-db.com/exploits/23081
http://www.openwall.com/lists/oss-security/2012/12/02/3
http://www.openwall.com/lists/oss-security/2012/12/02/4
https://bugzilla.redhat.com/show_bug.cgi?id=882608
https://mariadb.atlassian.net/browse/MDEV-3909

Updated on 2015-03-25

Severity

Classification

CVE CVE-2012-5615
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Oracle MySQL Server Multiple Vulnerabilities-03 Nov12 (Windows)
MySQL Unspecified vulnerability-06 July-2013 (Windows)
MySQL Denial of Service (infinite loop) Vulnerabilities
MySQL mysqlhotcopy script insecure temporary file
IBM DB2 'REPEAT()' Heap Buffer Overflow Vulnerability

Take action and discover your vulnerabilities