Bug 592086 (CVE-2010-1849) - CVE-2010-1849 mysql: over-sized packet denial of service vulnerability
Summary: CVE-2010-1849 mysql: over-sized packet denial of service vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-1849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 590598 592862
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-13 19:55 UTC by Vincent Danen
Modified: 2021-02-24 23:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-30 14:59:18 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2010-05-13 19:55:46 UTC
The upcoming MySQL 5.1.47 [1] and 5.0.91 [2] releases indicate a fix for the following issue, which has been assigned CVE-2010-1849.  Currently the bug report [3] is not public.  The release notes are very light on details, but I suspect this is a denial of service issue.

The server could be tricked into reading packets indefinitely if it received a packet larger than the maximum size of one packet. (Bug#50974, CVE-2010-1849)


Without access to the upstream bug, it is difficult to determine if this would also affect older 4.x releases.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
[2] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
[3] http://bugs.mysql.com/bug.php?id=50974

Comment 4 Tomas Hoger 2010-05-17 14:25:21 UTC
Few notes on this issue:

- the indefinite read mentioned in the upstream release notes seem to refer to my_net_skip_rest() (that is not called in certain cases with the patch applied).  Additional packets are read there only if packet has maximum possible length - MAX_PACKET_LENGTH (0xffffff).  This requires an attacker to keep sending continuous stream of such long packets.  Additionally, connect_timeout still seems to cause unauthenticated connection to be dropped as expected.

- the change upstream commits add to sql_parse.cc is for check_user() that can be found in sql_connect.cc in older mysql versions.

Comment 5 Tomas Hoger 2010-05-18 10:23:47 UTC
This issue does not affect mysql version 3.23.x in RHEL3, as my_net_skip_rest() can not be called there.  my_real_read() contains:

  for (i=0 ; i < 2 ; i++)
  {
    ...
    if (i == 0)
    {
      ...
      if (i == 1)
        my_net_skip_rest(net, len, &alarmed, &alarm_buff);
    }
  }

(some code / nesting removed)

Comment 9 Fedora Update System 2010-05-24 23:31:38 UTC
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12

Comment 10 Fedora Update System 2010-05-24 23:31:59 UTC
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13

Comment 11 Fedora Update System 2010-05-24 23:32:20 UTC
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11

Comment 12 Fedora Update System 2010-06-07 22:27:47 UTC
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-06-07 22:30:20 UTC
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-06-07 22:31:41 UTC
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Vincent Danen 2010-06-08 19:54:02 UTC
More upstream information now that the CVE is public:

http://lists.mysql.com/commits/106060

The upstream bug is also public now.

Comment 17 Tomas Hoger 2010-06-24 10:22:37 UTC
(In reply to comment #15)
> More upstream information now that the CVE is public:
> 
> http://lists.mysql.com/commits/106060

Note that this patch seems to be a change that was originally proposed as a fix for this issue, but this idea was later abandoned and fix linked in comment #1 is what got used in the released updates.

This issue is also often incorrectly described in various vulnerability databases or advisories.  Impact of this flaw quite limited.  Attacker can connect to mysqld and send certain specially-crafted packets that cause server to read more data from attacker until connect_timeout (default is 10s) is hit.  After that timeout, connection is closed by the server.

This can have some impact on CPU / network bandwidth usage, but similar can be achieved by repeatedly opening new connections and sending smaller packets that require more CPU time to be processed (e.g. well-formed authentication requests with incorrect credentials).  In case of these oversized packets, mysqld only reads data of the network in chunks to a buffer of limited size (net_buffer_length or 16384 by default, possibly up to max_allowed_packet or 1048576, those parameters are configurable) and does no further processing on the data read.  Next data chunk overwrites previously read one.  This does not cause server to allocate excessive amount of memory as some advisories suggest.

Due to the limited impact of this issue, there's no plan to address this in mysql updates for Red Hat Enterprise Linux 3 and 4.  Future mysql rebases may introduce this fix in Red Hat Enterprise Linux 5.  Future product versions based on fixed upstream version will have this fix included too.

Comment 19 Tomas Hoger 2012-05-30 14:59:18 UTC
RHSA-2012:0127 updated mysql packages in Red Hat Enterprise Linux 5 to version 5.0.95, which includes this fix:
  https://rhn.redhat.com/errata/RHSA-2012-0127.html

Statement:

This issue was fixed in mysql packages shipped with Red Hat Enterprise Linux 5 via RHSA-2012:0127. The mysql packages in Red Hat Enterprise Linux 6 include this fix since the initial release of the product.


Note You need to log in before you can comment on or make changes to this bug.