MySQL authentication Bypass

• The Developers of MariaDB (a fork of MySQL) recently found a major flaw in MySQL (and MariaDB) that gives an attacker a 1 in 256 chance to login to your MySQL server with an incorrect password
• All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
• This exploit is even worse than it sounds, because once an attacker gains access to the MySQL server, they can dump the MySQL users table, which contains the hashed passwords of all other users
• This would allow the attacker to then do an offline attack against those hashes (with a brute force password cracking program such as John the Ripper)
• In this way, even if the administrator patches their MySQL server, preventing further access by the attacker via the exploit, the attacker can then use the actual passwords for real user accounts once they are cracked
• The error is an incorrect assumption about the return value of memcmp(), a C function that compares to memory addresses
• Due to the fact that memcmp() is implemented differently by different OSs and compilers, only some systems are known to be vulnerable
• Vulnerable:
  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )
• OpenSuSE 12.1 64-bit
• Debian Unstable 64-bit (maybe others)
• Fedora (unspecified versions)
• Arch Linux (unspecified versions)
• Not Vulnerable:
  • Official builds from MySQL.com (including Windows)
• Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
• CentOS using official RHEL rpms
• Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
  • FreeBSD (all versions)
• Vulnerable/Not Vulnerable list source, more details, mitigation steps
• Part of the reason for the vulnerability of 64bit based OSs seems to be the different behavior of memcmp() with SSE4 optimizations (which results in a 3–5x performance increase)
• The following shell one-liner will grant you root access to a vulnerable MySQL server: for i in seq 1 1000; do mysql -u root –password=techsnap -h 127.0.0.1 2>/dev/null; done
• memcmp() man pages
  • Ubuntu 11.10 memcmp()
  • Ubuntu 12.04 memcmp()
  • FreeBSD memcmp()

F5 SSH Root login keys leaked

• F5 makes high end IP load balancers, designed to distribute traffic among web servers, handle SSL offloading, and more
• Fixed in a recently released patch, it seems that all F5s came out of the box authorized for root login over SSH with an RSA public key
• The issue being that the corresponding RSA private key, was also included on every F5 device
• This means that anyone that owns an F5, or has access to that key file (everyone now, we have to assume it was posted online) can now login as root on your F5
• Why is login as root over SSH even permitted?
• Vulnerability Announcement
• Official Advisory

AMD/ATI Windows Video drivers insecure, cause BSOD when security features in windows enabled

• Microsoft has a toolkit, called EMET (Enhanced Mitigation Experience Toolkit) that works to reduce the chance that unknown vulnerabilities in windows can be successfully exploited
• EMET relies on DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), which are designed to prevent buffer overflow and remote code execution attacks
• EMET includes an option to force DEP and ASLR system wide, rather than on a per-application basis, where only applications that opt-in to DEP/ASLR are protected
• Enabling ASLR causes AMD/ATI video drivers to blue screen the system
• This means that any system with an AMD/ATI graphics adapter cannot be secured as strongly as a system with an Intel or nVidia graphics adapter
• CERT Vulnerability Notice VU#458153
• Download Microsoft Enhanced Mitigation Experience Toolkit

Feedback:

Q: Jason asks about using CNAMEs for customer domains

A:
The problem with what you are proposing is that any resource record that is a CNAME cannot have any other record types defined. This means that if you set the root of the domain example.com to CNAME to server1.scaleengine.com, you then cannot define an MX record, and therefore you cannot host email addresses @example.com

Q: Mario asks about blocking possibly malicious ad networks on his network

Eivind writes in about a game company handling a security breech correctly

Note: from their findings that 10,000 users shared the same password, it is obvious that they are doing regular hashing (ala LinkedIn), rather than salted cryptographic hashes. When will people learn.

Round-Up:

• FOLLOWUP: Some funny LinkedIn passwords found to be in the database: ihatemyjob, iwantanewjob, linkedinblows, password, strongpassword, and 123456
• FOLLOWUP: Lessons learned from cracking 2 million LinkedIn passwords
• Researchers Connect Flame to US-Israel Stuxnet Attack
• Discover Card storing passwords in plaintext
• Skype calls to feature ads big enough to interrupt any conversation
• Microsoft patches another RDP flaw that count allow remote code execution
• eHarmony hacked , passwords leaked
• VB6 platform still supported up to 24 years after released