Free Scanner for MySQL Authentication Bypass CVE-2012-2122

Blog Post created by ckirsch on Aug 29, 2012

Free Scanner for MySQL Authentication Bypass CVE-2012-2122The MySQL authentication bypass vulnerability (CVE-2012-2122) - explained in detail in HD Moore's blog post - was the cause for much concern when it was first discovered. In response, we've created a new vulnerability scanner for CVE-2012-2122 called ScanNow, which enables you to check your network for vulnerability to this security issue. The best thing: it's simple to use, completely free, and scans unlimited IPs for this vulnerability!


This vulnerability allows an attacker to bypass authentication in MySQL with a 1 in 256 chance of succeeding per login attempt. Systems are vulnerable if they meet the following two conditions:


  • Don't enforce host-based access controls (ACLs), and
  • Run a vulnerable version of the software (see list below).
    • Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04),
    • OpenSuSE 12.1 64-bit MySQL 5.5.23-log
    • Debian Unstable 64-bit 5.5.23-2
    • Fedora
    • Arch Linux


It's hard to accurately estimate how many people this vulnerability affects, but from our research we do know there are some more general concerns around the security of MySQL deployments.  For example, HD's original research revealed that more than 50% of the 1.74 million identified MySQL servers were found not to enforce host-based access controls. Since he found this, HD has identified more than 3 million MySQL servers, doubling the original sample size, with a similar ratio of ACL rates (50% on average). Examining just MySQL servers identified in the last month (1.43 million), 810,000 do not enforce ACLs.


Of those 810,000, over 32,000 Ubuntu servers were identified, with just over 17,000 of those still unpatched. Although only 64-bit Ubuntu systems are exploitable, this makes up a large portion of the exposed hosts (close to 50% appear to be 64-bit machines). Those users ARE vulnerable to the MySQL bypass that ScanNow tests for, meaning that each of these approximately 8,000 servers exposes their entire database to the world through this vulnerability.


This only covers one of the five OS options listed above, and the total number of organizations affected by this vulnerability is likely much larger. We were only able to analyze half our sample size in our timeframe. In addition, we focused on Ubuntu and didn't identify vulnerable OpenSuSE, Debian, Fedora, and Arch Linux versions. Whatever the total number is, the research makes it abundantly clear that this is a serious problem for the security community.


This all sounds like a numbers game, so why should you care? Well, if you're one of the unlucky ones at risk, it's as simple as your entire database being exposed. And we're not talking about skilled attacks; we're talking about 1 in every 256 attempts you will get in, no matter what you try. That's why we've created ScanNow to tell you whether your machines are vulnerable to the authentication bypass flaw. It's simple and fast: just enter your network range, click start, and report on the findings. Once you have completed your scan, you can view, save and email the results to your colleagues.


ScanNow runs on all current Windows platforms and doesn't require installation - it couldn't be easier.


Get your free copy of ScanNow and check your network for MySQL password vulnerability (CVE-2012-2122) now!