Security Best Practice: Protection against Multiple MySQL Vulnerabilities
| Check Point Reference: | SBP-2006-04 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Industry Reference(s): | CVE-2006-0903 CVE-2004-0627 CVE-2004-0628 |
|
| Protection Provided by: |
InterSpect
|
|
| Who is Vulnerable? MySQL servers | ||
| Vulnerability Description MySQL is an open-source relational database management system that is rapidly growing in popularity. MySQL is free for most applications and is heavily used by the open source community, running on both Windows and UNIX operating systems. MySQL Servers are prone to multiple vulnerabilities, enabling an attacker to modify, obtain or destroy database contents. This may result in disclosure of confidential information, database modification or even database shutdown. |
||
|
Vulnerability Details InterSpect NGX offers several protections for MySQL versions 5.0, 4.1 and 4.0, including: MySQL Packet Sanity - To ensure compliance with the MySQL protocol, SmartDefense performs basic checks on MySQL packets, including checks such as validation of the length of login packets, the login process and that of MySQL commands. Block Specific MySQL Users - This list blocks MySQL queries from specific users. The root user, for example, should be blocked because only the administrator should have access to it. MySQL Capabilities Restrictions - These are a set of protections that include options such as restricting the allowed MySQL traffic to more recent versions that use a new encryption method for logins and are much more secure, forcing MySQL traffic in the organization to use SSL encryption and strong authentication and more. Blocked SQL Query Commands - SmartDefense enables you to block several SQL query commands that have been associated with widely exploited vulnerabilities. e.g CAN-2005-0799. Blocked Tables- This protection restricts access to specific MySQL tables. Uncontrolled access to SQL tables can be misused and can lead to loss of sensitive user information. MySQL Malicious Code Protector - This protection looks for executable code in places where it should not exist - for example in data fields. It analyzes the non ASCII segments of the SQL by disassembling machine code. It assesses the danger, and allows or rejects connections accordingly. Passwords Restriction - This protection blocks login attempts with blank passwords and passwords that consist of Null bytes. Such passwords can be easily guessed using simple techniques. |
Protection Overview
Users of InterSpect NGX or higher will be able to protect their MySQL Servers from various attacks related to weak authentication methods, malformed query commands and more.
To configure the defense, select your product from the list below and follow the related protection steps.
InterSpect NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MySQL and expand MySQL Server protocol. 
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Malformed MySQL Message
Attack Information:
Malformed or corrupt MySQL packet. Sanity check failed
Username in login request is illegal
Attack Name: MySQL NULL Password Attack
Attack Information: Login attempt with NULL password was detected
Attack Name: MySQL Long Scrambled Password Attack
Attack Information: Illegal length of scrambled password was detected
Attack Name: MySQL Restricted Command
Attack Information: Restricted MySQL command was detected
Attack Name: MySQL Malicious Code Protector
Attack Information: Malicious code protector detected potentially harmful code embedded in client transactions
Attack Name: MySQL Version Below 4.1
Attack Information: Client attempted login with a less secure version of MySQL
Attack Name: MySQL Non-SSL Login Detected
Attack Information: Client attempted login without SSL