Security flaw CVE-2012-2122 in MySQL

**hawkmage** · June 15th, 2012

Just incase you are not aware of this there is a security flaw (CVE-2012-2122) in the MySQL. This vuerability is based on the way the password hash validation is done. There is a 1 in 256 chance that a bad password will match.

The vulnerable systems are primarily 64 bit systems.

Here is a link to more info:
https://community.rapid7.com/communi...-flaw-in-mysql

**haqking** · June 15th, 2012

There are flaws or vulnerabilites in almost all software, you can find a CVE to match most software packages.

https://cve.mitre.org/

What is the uniqueness of this particular one ?

Perhaps i am missing your point ?

**OpSecShellshock** · June 15th, 2012

Well there is already a fairly reliable exploit in MSF I think (well, still 1-in-256, but that's better than cracking passwords), but I'm pretty sure the patch was available before then. It's certainly available (and highly recommended) now.

I suppose there's a pretty convincing argument that MySQL is widely used by people/organizations that are unlikely to patch in a timely manner, which does make it potentially a bigger deal, but yeah, it's really just another vulnerability on the pile.

**wacky_sung** · June 16th, 2012

I don't really care about least i run a server. Using those exploits search engines only reveal known security flaws. I will rather exploit it myself and keep it a secret until someone found it for patch.

**haqking** · June 16th, 2012

Originally Posted by wacky_sung

I don't really care about least i run a server. Using those exploits search engines only reveal known security flaws. I will rather exploit it myself and keep it a secret until someone found it for patch.

If you have the knowledge to exploit it then you have the knowledge to fix/patch it, so why not contribute rather than wait for someone else.

The security community is a collaborative one and any true "hacker" (hacker in the TMRC sense) /security researcher shares their knowledge whether zero day or not.

**wacky_sung** · June 16th, 2012

Oh yeah,so true. Just that i rather remain anonymous than make publicity of it. I think i better stay off here since i have already made my statement clear enough.

http://ubuntuforums.org/showthread.php?t=2004152

**haqking** · June 16th, 2012

Originally Posted by wacky_sung

Oh yeah,so true. Just that i rather remain anonymous than make publicity of it. I think i better stay off here since i have already made my statement clear enough.

http://ubuntuforums.org/showthread.php?t=2004152

LOL, yeah so you have the skillset to exploit zero day and to patch it, but not to remain anonymous ?

anyways moving on swiftly.......

**Dry Lips** · June 17th, 2012

Originally Posted by hawkmage

Just incase you are not aware of this there is a security flaw (CVE-2012-2122) in the MySQL. This vuerability is based on the way the password hash validation is done. There is a 1 in 256 chance that a bad password will match.

The vulnerable systems are primarily 64 bit systems.

Here is a link to more info:
https://community.rapid7.com/communi...-flaw-in-mysql

From the first article you quoted:

So far, the following systems have been confirmed as vulnerable:
Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )

If you have security updates enabled on your server, would this vulnerability be patched automatically?