Recently, vulnerability listed as CVE-2012-2122 : If one knows a user name to connect (and "root" almostalways exists), he can connect using *any* password by repeatingconnection attempts. ~300 attempts takes only a fraction of second, sobasically account password protection is as good as nonexistent.Any client will do, there's no need for a special libmysqlclient library.
Exploit for this vulnerability was released on Tools Yard before. Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23 are vulnerable to this bug.
At the United Security Summit last week, Rapid7’s HD Moore said that 3 million MySQL servers discovered online, half of them were running without any sort of ACL (Access Control List) on the host, that means1.5 million systems are vulnerable to CVE-2012-2122.
The tool released today will allow IT teams a quick and easy check to determine if their MySQL deployments are vulnerable or not.
The ScanNow tool is free, and can be downloaded here.
System Requirements:
- OS: Windows XP / Vista / Windows 7 / Server 2003 / Server 2008 (32bit or 64bit)
- HD Space: 10 MB of disk space
- RAM: 1GB minimum, 2GB or more recommended
- Java Version: 1.6 and later
Source -
Thanks to thehackernews
Visit Website -
0 comments:
Post a Comment