CVE-2017-3599
published 2017-04-24CVE-2017-3599: Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier…
PriorityP271high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
89.92%
99.8th percentile
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an integer overflow in sql/auth/sql_authentication.cc which allows remote attackers to cause a denial of service via a crafted authentication packet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | mysql | 5.6.0 – 5.6.35 | — |
| oracle | mysql | 5.7.0 – 5.7.17 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandMySQL login request with client capabilities \x85\xa2\xbf\x01, max packet size \x00\x00\x00\x01, charset \x21, 23 null reserved bytes, username null-terminated, auth field starting with \xff↗
bytes↗
Authentication packet starting with \xff or \xfe, shorter than 8 bytes
- →Detect unauthenticated MySQL connection attempts where the plugin auth data field in the handshake response packet begins with byte 0xFF or 0xFE and is shorter than 8 bytes — this is the exact trigger condition for the integer underflow crash. ↗
- →Monitor for repeated mysqld crashes or unexpected restarts on port 3306, especially preceded by unauthenticated connection attempts — the vulnerability is pre-authentication and causes a repeatable crash (complete DoS). ↗
- →The vulnerable code path is in the connection handshake parser (get_56_lenc_string / sql_authentication.cc). Inspect MySQL network traffic for malformed length-encoded string fields in the authentication phase of the handshake. ↗
- ·Affected versions are MySQL 5.6.35 and earlier and 5.7.17 and earlier. MariaDB and mysql55 packages on Red Hat platforms are NOT affected — do not apply MySQL-specific detections to MariaDB deployments. ↗
- ·The exploit targets the Pluggable Auth subcomponent; the attack is network-accessible via multiple protocols with no authentication required (PR:N, UI:N), meaning any network path to port 3306 is a viable attack vector. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
osv7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-292g-7jqj-vpqr: Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth)
ghsa_unreviewed·2022-05-13
CVE-2017-3599 [HIGH] CWE-190 GHSA-292g-7jqj-vpqr: Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an integer overflow in sql/auth/sql_authentication.cc which allows remote attackers to ca
OSV
CVE-2017-3599: Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth)
osv·2017-04-24·CVSS 7.5
CVE-2017-3599 [HIGH] CVE-2017-3599: Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an integer overflow in sql/auth/sql_authentication.cc which allows remote attackers to ca
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2017-04-27
CVE-2017-3302 MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: Several security issues were fixed in MySQL.
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.55 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,
Ubuntu 16.10 and Ubuntu 17.04 have been updated to MySQL 5.7.18.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Instructions: In general, a standard system update will make all the necessary
Red Hat
mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
vendor_redhat·2017-04-19·CVSS 7.5
CVE-2017-3599 [HIGH] CWE-190 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an intege
No detection rules found.
Bugzilla
CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
bugzilla·2017-04-19·CVSS 7.5
CVE-2017-3599 [HIGH] CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
Discussion:
Created community-mysql tracking bugs for this issue:
Affects: fedora-all [bug 1443407]
---
It seems this CVE may be related
Bugzilla
CVE-2017-3308 CVE-2017-3309 CVE-2017-3450 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461 CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3599 community-mysql: various flaws [fedora-all]
bugzilla·2017-04-19·CVSS 7.7
CVE-2017-3308 [HIGH] CVE-2017-3308 CVE-2017-3309 CVE-2017-3450 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461 CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3599 community-mysql: various flaws [fedora-all]
CVE-2017-3308 CVE-2017-3309 CVE-2017-3450 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461 CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3599 community-mysql: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlhttp://www.securityfocus.com/bid/97754http://www.securitytracker.com/id/1038287https://access.redhat.com/errata/RHSA-2017:2787https://access.redhat.com/errata/RHSA-2017:2886https://www.exploit-db.com/exploits/41954/https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlhttp://www.securityfocus.com/bid/97754http://www.securitytracker.com/id/1038287https://access.redhat.com/errata/RHSA-2017:2787https://access.redhat.com/errata/RHSA-2017:2886https://www.exploit-db.com/exploits/41954/https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/
2017-04-24
Published