MariaDB 10.0.x < 10.0.20 Multiple Vulnerabilities (BACKRONYM)

medium Nessus Plugin ID 84796

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

The version of MariaDB running on the remote host is 10.0.x prior to 10.0.20. It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists in the GIS component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2582)

- An unspecified flaw exists in the Security: Privileges component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2015-2620)

- An unspecified flaw exists in the Optimizer component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2643)

- An unspecified flaw exists in the DML component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2648)

- A security feature bypass vulnerability, known as 'BACKRONYM', exists due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this flaw to coerce the client to downgrade to an unencrypted connection, allowing the attacker to disclose data from the database or manipulate database queries. (CVE-2015-3152)

- An unspecified flaw exists in the I_S component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-4752)

- An unspecified flaw exists in the Security: Privileges component that allows an authenticated, remote attacker to impact integrity. (CVE-2015-4864)

- A denial of service vulnerability exists in the get_server_from_table_to_cache() function within file sql/sql_servers.cc when handling empty names. An authenticated attacker, remote attacker can exploit this to crash the server.

- A denial of service vulnerability exists when updating leaf tables with JOIN during list storing. An authenticated, remote attacker can exploit this to crash the server.

- A denial of service vulnerability exists within file ha_innodb.cc when handling concurrent multi-table updates. An authenticated, remote attacker can exploit this to crash the server.

- An out-of-bounds read error exists in the escape_string_hide_passwords() function within file plugin/server_audit/server_audit.c when handling specially crafted SET PASSWORD queries. An authenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition.

- A denial of service vulnerability exists in the wait_for_workers_idle() function within file rpl_parallel.cc when handling worker threads. An authenticated attacker, remote attacker can exploit this to crash the database.

- A denial of service vulnerability exists in sys_var_pluginvar::plugin due to improper initialization, leading to a race condition between INSTALL PLUGIN and SET that results in an uninitialized memory reference. An authenticated attacker, remote attacker can exploit this to crash the database.

Solution

Upgrade to MariaDB version 10.0.20 or later.

See Also

https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog/

http://backronym.fail/

Plugin Details

Severity: Medium

ID: 84796

File Name: mariadb_10_0_20.nasl

Version: 1.11

Type: remote

Family: Databases

Published: 7/16/2015

Updated: 11/22/2019

Configuration: Enable paranoid mode

Supported Sensors: Frictionless Assessment Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2015-3152

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mariadb:mariadb

Required KB Items: Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 6/18/2015

Vulnerability Publication Date: 6/22/2012

Reference Information

CVE: CVE-2015-2582, CVE-2015-2620, CVE-2015-2643, CVE-2015-2648, CVE-2015-3152, CVE-2015-4752, CVE-2015-4864

BID: 74398, 75751, 75822, 75830, 75837, 75849, 77187