Summary
The host is running MySQL and is prone to user enumeration vulnerability.
Impact
Successful exploitation allows attackers to obtain valid usernames, which may aid them in brute-force password cracking or other attacks.
Impact Level: Application
Solution
For Maria DB upgrade to 5.5.29, 5.3.12, 5.2.14 or later.
For updates refer to https://mariadb.org/
For MySQL apply the updates from vendor, http://www.mysql.com/
Insight
Mysql server will respond with a different message than Access Denied, when attacker authenticates using an incorrect password with the old authentication mechanism mysql 4.x and below to a mysql 5.x server.
Affected
MySQL version 5.5.19 and possibly other versions
MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66 and possibly other versions
References
- http://osvdb.org/88067
- http://secunia.com/advisories/51427
- http://www.exploit-db.com/exploits/23081
- http://www.openwall.com/lists/oss-security/2012/12/02/3
- http://www.openwall.com/lists/oss-security/2012/12/02/4
- https://bugzilla.redhat.com/show_bug.cgi?id=882608
- https://mariadb.atlassian.net/browse/MDEV-3909
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2012-5615 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Oracle MySQL Multiple Unspecified vulnerabilities-02 July14 (Windows)
- Oracle MySQL Multiple Unspecified vulnerabilities - 02 May14 (Windows)
- Oracle Database 'XML DB component' Unspecified vulnerability
- MySQL Unspecified vulnerabilities-01 July-2013 (Windows)
- MySQL MyISAM Table Privileges Secuity Bypass Vulnerability