cbcvebase.
CVE-2009-4484
published 2009-12-30

CVE-2009-4484: Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x…

PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.55%
99.3th percentile
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Affected

19 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
mariadbmariadb>= 5.1 < 5.1.425.1.42
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
oraclemysql
oraclemysql>= 5.0.0 < 5.0.905.0.90
oraclemysql>= 5.1.0 < 5.1.435.1.43
wolfsslyassl< 1.9.91.9.9

Detection & IOCsextracted from sources · hover to see the quote

port3306
pathtaocrypt/src/asn.cpp
otherJmpEsp => 0x0807dc34 (Debian 5.0 - MySQL 5.0.51a-24+lenny2)
  • Detect exploitation attempts by monitoring for SSL handshakes to MySQL port 3306 that include an X.509 client certificate with an oversized or malformed name field (CN/O/OU etc.) in the Subject or Issuer fields.
  • Monitor MySQL servers for inbound SSL connections on TCP/3306 from hosts that are not expected to present client certificates; the exploit requires the attacker to pass host-based authentication and the server must be manually configured to use SSL.
  • MySQL builds linked against OpenSSL (rather than the bundled yaSSL) are not affected; audit MySQL binary linkage to determine exposure — Red Hat/Fedora packages using OpenSSL are not vulnerable.
  • On Windows targets, /GS and /SafeSEH compiler protections in MySQL 5.5.0-m2 successfully block exploitation; on Linux, GCC FORTIFY_SOURCE also mitigates the overflow in some builds — flag unprotected Linux MySQL builds (5.0.x < 5.0.90, 5.1.x < 5.1.43) using yaSSL as high-priority patching targets.
  • ·Vulnerability only exists in MySQL builds that bundle yaSSL (versions before 1.9.9); MySQL packages linked against system OpenSSL (e.g., all Red Hat Enterprise Linux and Fedora packages) are completely unaffected.
  • ·Exploitation requires a non-default server configuration: SSL must be manually enabled, the server must listen on an accessible network interface, and the attacker must be able to pass host-based authentication.
  • ·The SUSE 11 binary package does not contain yaSSL or support SSL, making it not exploitable despite being mentioned in the original blog post.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.