From security-officer@FreeBSD.ORG Fri Mar 10 14:22:14 2000 From: FreeBSD Security Officer , FreeBSD Security Officer Resent-From: mea culpa To: undisclosed-recipients: ; Resent-To: jericho@attrition.org Date: Mon, 28 Feb 2000 21:26:46 -0800 (PST) Reply-To: postmaster@FreeBSD.ORG Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:05 Security Advisory FreeBSD, Inc. Topic: MySQL allows bypassing of password authentication Category: ports Module: mysql322-server Announced: 2000-02-28 Affects: Ports collection before the correction date. Corrected: 2000-02-15 FreeBSD only: NO I. Background MySQL is a popular SQL database client/server distributed as part of the FreeBSD ports collection. II. Problem Description The MySQL database server (versions prior to 3.22.32) has a flaw in the password authentication mechanism which allows anyone who can connect to the server to access databases without requiring a password, given a valid username on the database - in other words, the normal password authentication mechanism can be completely bypassed. MySQL is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact The successful attacker will have all of the access rights of that database user and may be able to read, add or modify records. If you have not chosen to install the mysql322-server port/package, then your system is not vulnerable. IV. Workaround Use appropriate access-control lists to limit which hosts can initiate connections to MySQL databases - see: http://www.mysql.com/Manual_chapter/manual_Privilege_system.html for more information. If unrestricted remote access to the database is not required, consider using ipfw(8) or ipf(8), or your network perimeter firewall, to prevent remote access to the database from untrusted machines (MySQL uses TCP port 3306 for network communication). Note that users who have access to machines which are allowed to initiate database connections (e.g. local users) can still exploit the security hole. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mysql322-server port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/mysql-server-3.22.32.tgz 3) download a new port skeleton for the mysql322-server port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3 SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng vzxtva695bI= =KYqf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message