Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(HP Issues Fix for HP Servicecontrol Manager) MySQL Overflow and Authentication Bugs May Let Remote Users Execute Code or Access Database Accounts
|
|
SecurityTracker Alert ID: 1007903 |
|
SecurityTracker URL: http://securitytracker.com/id/1007903
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 8 2003
|
Impact:
Denial of service via local system, Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.0
|
Description:
Several vulnerabilities were reported in MySQL. A remote user could potentially execute arbitrary code on the system. A remote user with a valid database account could gain access to other accounts on the database. HP reports that all versions of Servicecontrol Manager (SCM) 3.0 (e.g., B.03.00.01) were shipped with a vulnerable version of the MySQL database.
e-matters reported that two bugs in the MySQL server allow a remote authenticated user to cause the server to crash. One of those bugs may also allow a remote user to bypass the password authentication process or execute arbitrary code on the server with the privileges of the 'mysqld' process.
An unsigned integer vulnerability was reported in the server. When processing the COM_TABLE_DUMP package, two characters are convertd to unsigned integers. If the characters are negative, the interger conversion process will result in a large unsigned number. The report states that this can probably only be exploited to cause a denial of service condition, as it is a heap-to-heap copy operation and there is no memory allocating function within the SIGSEGV handler.
An authentication vulnerability in the COM_CHANGE_USER command was reported. This flaw is a previously disclosed bug that was only partially corrected. A client can send a one character response as part of the challenge-response transaction to cause the server to create a one-character expected response. A remote client can reportedly guess the correct response in 32 attempts or less, as the allowable character set is only 32 characters.
A remote user with a valid MySQL account can access other user accounts. A local user could exploit this to gain access to the mysql root account and access, modify, or delete the database.
According to the report, a remote user can send a longer than expected response to trigger a stack overflow and overwrite the saved instruction pointer with data generated by the password verification algorithm's random number generator.
On the client side, a heap overflow vulnerability was reported in the mysaql client library. This can be triggered via a SELECT query statement (or other statements). This could allow a user to execute arbitrary code on an application that is linked against libmysqlclient.
A read_one_row byte overwrite vulnerability was also reported in libmysqlclient. When the client library fetches one row from the server, field sizes are not verified against the defined boundaries. A specially crafted malicious packet can supply an arbitrary field size to overwrite an arbitrary memory addresses with a '\0' null terminator. This could allow a remote user (with control of a database server) to execute arbitrary code on the system, or to crash the client.
For the original e-matters advisory, see:
http://security.e-matters.de/advisories/042002.html
|
Impact:
A remote user could cause the MySQL server or MySQL client application to crash. A remote user could potentially execute arbitrary code on the server with the privileges of the database. A remote user with a valid database account could access other user accounts on the database.
|
Solution:
HP has described a fix for HP Servicecontrol Manager.
HP indicates that you can update the SCM central management server to use ixMySQL version 3.23.54 which is released by the HP Internet Express group. You can install ixMySQL version 3.23.54 or subsequent and configure the SCM central management server to use ixMySQL.
See the Source Message for full installation instructions from the HP advisory.
|
Vendor URL: www.hp.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (HP/UX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 8 Oct 2003 10:51:21 -0400 (EDT)
Subject: HP-UX security bulletins digest
|
Document ID: HPSBUX0310-287
Date Loaded: 20031007
Title: SSRT3645 Potential Security Vulnerability in SCM3.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0310-287
Originally issued: 7 October 2003
SSRT3645 Potential Security Vulnerability in SCM3.0
-----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.
The information in the following Security Bulletin should be
acted upon as soon as possible. Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.
-----------------------------------------------------------------
PROBLEM: MySQL version 3.23.39, which is delivered with
Servicecontrol Manager (SCM) 3.0, has potential
security vulnerabilities.
IMPACT: Unauthorized access, increase in privilege or execution
of arbitrary code.
PLATFORM: HP 9000 servers running HP-UX B.11.00 and B.11.11 only.
SOLUTION: Update the SCM central management server to use ixMySQL
version 3.23.54 which is released by the HP Internet
Express group. (See below).
Install ixMySQL version 3.23.54 or subsequent and
configure the SCM central management server to use
ixMySQL.
Note: This fix is only available if you are running
SCM 3.0 or later. Earlier versions of SCM
must be upgraded prior to applying this fix.
MANUAL ACTIONS: Yes - NonUpdate
AVAILABILITY: The solution is included herein.
-----------------------------------------------------------------
A. Background
Any version of Servicecontrol Manager (SCM) 3.0 (such as
B.03.00.01) was shipped with a version of MySQL (3.23.39)
which contains security defects.
For more information, see:
http://www.mysql.com/documentation/mysql/bychapter/
index.html#News-3.23.54
SCM 2.5 uses LDAP and is therefore unaffected by this issue.
Systems using SCM 2.5 that were upgraded to B.03.00.00,
B.03.00.01, B.03.00.02, B.03.00.03, or B.03.00.04 need to be
upgraded further on any HP-UX B.11.00 or B.11.11 platform.
Sytems running SCM 3.0 on HP-UX B.11.23 are not affected, as
they use ixMySQL.
AFFECTED VERSIONS
=================
The following is a list by HP-UX revision of
affected filesets or patches and fix information.
To determine if a system has an affected version,
search the output of "swlist -a revision -l fileset"
for an affected fileset or patch, then determine if
a fixed revision or applicable patch is installed.
HP-UX B.11.00
HP-UX B.11.11
=============
mysql.MYSQL
fix: install ixMySQL revision 3.23.54 or subsequent, and
configure the SCM central management server to use
ixMySQL.
END AFFECTED VERSIONS
NOTE: This problem does not impact HP NonStop Servers nor
HP OpenVMS, nor HP Tru64 UNIX/Trucluster Server.
B. Recommended solution
If you are installing SCM 3.0 on a central management server
for the first time, follow these installation instructions:
1. If SCM 3.0 is not B.03.00.01 or later, download the latest
version on the Web at:
http://software.hp.com/products/SCMGR/download.html
2. Install SCM:
swinstall -s SCM3.0.x_depot -x reinstall=true B8339BA
3. Remove MySQL 3.23.39:
swremove MySQL
4. After MySQL is removed, check if the mysqld daemon is
still running:
ps -ef | grep mysqld
The mysqld daemon should not still be running. If it is,
stop it with:
kill -9 <PIDofmysqld>
5. Install the new ixMySQL
On HP-UX B.11.11
swinstall -s ix_MySQL_depot ixMySQL
On HP-UX B.11.00:
swinstall -s depot -x allow_incompatible=true ixMySQL
swconfig -x allow_incompatible=true ixMySQL
6. Configure SCM 3.0 to run with ixMySQL:
/opt/mx/bin/mxinitconfig -a server
If you need to update an existing central management server
running SCM 3.0 with MySQL 3.23.39, follow these
instructions:
1. Verify the version of SCM 3.0 (B8339BA):
swlist B8339BA
Note: Only B8339BA, B.03.00.01 or later is compatible
with ixMySQL. If you have B8339BA, B.03.00.00
installed, you need to upgrade to B.03.00.01
version or later and then complete this
procedure.
2. Backup the SCM database to a file in a secure directory:
/opt/mx/bin/mxrepositorysave -f $SAFEDIR/scm30save
3. Verify the backup file:
ls -l $SAFEDIR/scm30save
4. Backup the MySQL files:
tar cvf $SAFEDIR/mysql_files.tar /var/opt/mysq/mxcoredb/.
5. If the version of SCM is not B.03.00.01 or later, upgrade
to the latest version of SCM.
a. Download the latest version on the Web at:
http://www.software.hp.com/products/SCMGR/
b. Update SCM to the latest version:
swinstall -s SCM3.0.x_depot -x reinstall=true B8339BA
6. Stop SCM daemons:
/sbin/init.d/ServCtlMgr stop server
7. Remove MySQL 3.23.39:
swremove MySQL
8. After MySQL is removed, check if the mysqld daemon is still
running:
ps -ef | grep mysqld
The mysqld daemon should not still be running. If it is,
stop it with:
kill -9 <PIDofMySQL>
9. Install ixMySQL.
On HP-UX B.11.11
swinstall -s ix_MySQL_depot ixMySQL
On HP-UX B.11.00:
swinstall -s depot -x allow_incompatible=true ixMySQL
swconfig -x allow_incompatible=true ixMySQL
10. Configure SCM 3.0 to run with ixMySQL:
/opt/mx/lbin/mxconfigrepo -a -F
11. Restore the SCM 3.0 data:
/opt/mx/bin/mxrepositoryrestore -f $SAFEDIR/scm30save
12. Run SCM 3.0 with ixMySQL:
/opt/mx/bin/mxinitconfig -a server
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:
Use your browser to get to the HP IT Resource Center page
at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.
NOTE: Using your itrc account security bulletins can be
found here:
http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin
To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive". (near the
bottom of the page) Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic. Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems. Please note that installing the patches
listed in the Security Patch Matrix will completely
implement a security bulletin _only_ if the MANUAL ACTIONS
field specifies "No."
The Security Patch Check tool can verify that a security
bulletin has been implemented on HP-UX 11.XX systems providing
that the fix is completely implemented in a patch with no
manual actions required. The Security Patch Check tool cannot
verify fixes implemented via a product upgrade.
For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA
The security patch matrix is also available via anonymous
ftp:
ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".
The PGP key used to sign this bulletin is available from
several PGP Public Key servers. The key identification
information is:
2D2A7D59
HP Security Response Team (Security Bulletin signing only)
<security-alert@hp.com>
Fingerprint =
6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59
If you have problems locating the key please write to
security-alert@hp.com. Please note that this key is
for signing bulletins only and is not the key returned
by sending 'get key' to security-alert@hp.com.
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.
-----------------------------------------------------------------
(c)Copyright 2003 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company. Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.
________________________________________________________________
- --
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP4M2muAfOvwtKn1ZEQLIQgCfSHnkqAkgKpMyKcpVVDqt4CAs+4MAn36g
T58QEKTMqJWjqOcQsrbMd/8v
=h8jq
-----END PGP SIGNATURE-----
-----End of Document ID: HPSBUX0310-287--------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
