MariaDB 10.0.x < 10.0.20 Multiple Vulnerabilities (BACKRONYM)

High Nessus Plugin ID 84796

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

The version of MariaDB running on the remote host is 10.0.x prior to 10.0.20. It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists in the GIS component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2582)

- An unspecified flaw exists in the Security: Privileges component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2015-2620)

- An unspecified flaw exists in the Optimizer component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2643)

- An unspecified flaw exists in the DML component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2648)

- A security feature bypass vulnerability, known as 'BACKRONYM', exists due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this flaw to coerce the client to downgrade to an unencrypted connection, allowing the attacker to disclose data from the database or manipulate database queries. (CVE-2015-3152)

- An unspecified flaw exists in the I_S component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-4752)

- An unspecified flaw exists in the Security: Privileges component that allows an authenticated, remote attacker to impact integrity. (CVE-2015-4864)

- A denial of service vulnerability exists in the get_server_from_table_to_cache() function within file sql/sql_servers.cc when handling empty names. An authenticated attacker, remote attacker can exploit this to crash the server.

- A denial of service vulnerability exists when updating leaf tables with JOIN during list storing. An authenticated, remote attacker can exploit this to crash the server.

- A denial of service vulnerability exists within file ha_innodb.cc when handling concurrent multi-table updates. An authenticated, remote attacker can exploit this to crash the server.

- An out-of-bounds read error exists in the escape_string_hide_passwords() function within file plugin/server_audit/server_audit.c when handling specially crafted SET PASSWORD queries. An authenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition.

- A denial of service vulnerability exists in the wait_for_workers_idle() function within file rpl_parallel.cc when handling worker threads. An authenticated attacker, remote attacker can exploit this to crash the database.

- A denial of service vulnerability exists in sys_var_pluginvar::plugin due to improper initialization, leading to a race condition between INSTALL PLUGIN and SET that results in an uninitialized memory reference. An authenticated attacker, remote attacker can exploit this to crash the database.

Solution

Upgrade to MariaDB version 10.0.20 or later.

See Also

https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog/

http://backronym.fail/

Plugin Details

Severity: High

ID: 84796

File Name: mariadb_10_0_20.nasl

Version: 1.10

Type: remote

Family: Databases

Published: 2015/07/16

Updated: 2019/01/02

Dependencies: 91823, 10719

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mariadb:mariadb

Required KB Items: Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2015/06/18

Vulnerability Publication Date: 2012/06/22

Reference Information

CVE: CVE-2015-2582, CVE-2015-2620, CVE-2015-2643, CVE-2015-2648, CVE-2015-3152, CVE-2015-4752, CVE-2015-4864

BID: 74398, 75751, 75822, 75830, 75837, 75849, 77187