Expect A Surge In Breaches Following MySQL Vulnerability

Vulnerability is so easily attacked and so prevalent that were bound for a bump in database exposures

An unusual password vulnerability that makes hundreds of thousands of MySQL and MariaDB databases vulnerable to simple brute-force attacks is likely to soon start a ripple effect of increased data breach activity online, security experts predict.
According to researchers, databases within host service provider and cloud infrastructures are the likeliest targets, but all administrators are advised to keep on the lookout for patches from their open source distribution and adhere to basic best practices to mitigate risk in the interim.
[ What weaknesses do bad guys look for in your databases? See
How Attackers Find And Exploit Database Vulnerabilities
. ]
Initially, the vulnerability was discovered over the weekend by a developer in the MariaDB community and who reported it as a quirky but trivial bug. Subsequently, though, research into the vulnerability was crowd-sourced to the security community at large via social media, which found the problem to be a lot bigger than initially thought.
This was one of the cases where it looked like a minor bug, but the folks didnt do enough coordination and they ended up leaving everyone out there kind of hanging in the wind, says HD Moore, chief security officer at Rapid7 and creator of Metasploit. From their perspective, it didnt affect their shipping build, but its all the other vendors who compile packages slightly differently who may be affected more than they realized.
The vulnerability itself is in the way MySQL accepts passwords -- the bug makes it such that theres a one in 256 chance that the wrong password will still grant the user access to an account. So an endless loop of attempts will eventually grant an attacker access. It was a bug so unique that Moore says some MySQL developers ran into it, couldnt reproduce it ,and eventually chalked it up as a fluke.
Ive never really seen a vulnerability like this where the thing just randomly doesnt verify your password and lets you in. I hadnt seen a vulnerability like that before, says Josh Shaul, CTO of Application Security, Inc.
According to Moore, who happened to be doing research online across a number of IP spaces on the Internet already, he was able to use some existing data feeds to find that there are about 1.74 million vulnerable MySQL databases facing the Internet at the moment, half of which he found employed no kind of host-based access control to mitigate risk of an attack. That tallies to approximately 870,000 databases online and vulnerable to an attack that needs very little technical expertise to carry out.
With such a large number of vulnerable systems and such an easy path to attack them, the community should expect a surge in breaches, he warns.
Were going to see a lot of exposure to this, Moore says. I wouldnt be surprised if we see a whole lot of data breaches coming out because it is so easy to exploit. You dont have to be a hacker to do it, you can just type in one line and youre guaranteed to get into a vulnerable server.
In fact, some security pundits have already thrown out wild theories that maybe weve already seen the surge start.
Crazy theory: Could this be related to the LinkedIn, last.fm, eHarmony and other recent breaches? Did any of them have MySQL exposed? Even worse, was this really a bug or a very clever backdoor? wrote security blogger David Dede in the Sucuri Research Blog earlier this week.
However, Shaul thinks thats not likely at all.
I think its unlikely because Id be shocked to see eHarmony and LinkedIn exposing their database to the public Internet so that people could exploit it from login, he says. I think youre much more likely looking at significantly less sophisticated IT shops that are vulnerable to this.
Nevertheless, this vulnerability still has the potential to affect databases hooked up to everything from ecommerce systems to online forums, Rapid7s Moore says. He says that even before patches are available, organizations can protect themselves with best practices.
The good thing is that it is best practice not to expose the database to the network in the first place. We do see a lot of them out there, but those are folks who are doing something wrong to start with, he says. And folks who dont have host access control, thats another strike against them saying You arent dong the even minimum level of security.
However, there are cases where host access control isnt possible, which is why he believes host service providers and cloud providers are squarely in the crosshairs for this. There are cases where service providers have got a huge arm of shared servers and they may expose a MySQL server to some customers or their IP ... such that they cant just firewall it off, he says. Also, you see that with a lot of cloud providers, where they give you a dynamic IP address every time your server comes up so you cant use host access control a lot of times.
This latest MySQL exposure is the second big security black eye for the database software in the past year. In September 2001, the MySQL.com
website was breached
and redirected to a website serving up malware controlled by the BlackHole crimeware kit. The site had been hit by a SQL injection attack in that instance.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Expect A Surge In Breaches Following MySQL Vulnerability