MySQL Authentication Error Message User Enumeration Vulnerability Network Vulnerability

Summary

The host is running MySQL and is prone to user enumeration vulnerability.

Impact

Successful exploitation allows attackers to obtain valid usernames, which may aid them in brute-force password cracking or other attacks. Impact Level: Application

Solution

For Maria DB upgrade to 5.5.29, 5.3.12, 5.2.14 or later. For updates refer to https://mariadb.org/ For MySQL apply the updates from vendor, http://www.mysql.com/

Insight

Mysql server will respond with a different message than Access Denied, when attacker authenticates using an incorrect password with the old authentication mechanism mysql 4.x and below to a mysql 5.x server.

Affected

MySQL version 5.5.19 and possibly other versions MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66 and possibly other versions

References

http://osvdb.org/88067
http://secunia.com/advisories/51427
http://www.exploit-db.com/exploits/23081
http://www.openwall.com/lists/oss-security/2012/12/02/3
http://www.openwall.com/lists/oss-security/2012/12/02/4
https://bugzilla.redhat.com/show_bug.cgi?id=882608
https://mariadb.atlassian.net/browse/MDEV-3909

Updated on 2015-03-25

Severity

Classification

CVE CVE-2012-5615

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Oracle Database 'XML DB component' Unspecified vulnerability
Oracle MySQL Multiple Unspecified vulnerabilities - 02 May14 (Windows)
Oracle MySQL Server Multiple Vulnerabilities-04 Nov12 (Windows)
MySQL multiple Vulnerabilities
Oracle MySQL Multiple Unspecified vulnerabilities - 03 Jan14 (Windows)

Take action and discover your vulnerabilities