National Cyber Awareness System

Vulnerability Summary for CVE-2009-4484

Overview

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

Vendor Statements (disclaimer)

Official Statement from Red Hat (01/26/2010)

Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5. The packages use OpenSSL and not yaSSL.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=555313

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=555313

External Source: CONFIRM

Name: http://yassl.cvs.sourceforge.net/viewvc/yassl/yassl/taocrypt/src/asn.cpp?r1=1.13&r2=1.14

Hyperlink:http://yassl.cvs.sourceforge.net/viewvc/yassl/yassl/taocrypt/src/asn.cpp?r1=1.13&r2=1.14

External Source: XF

Name: mysql-unspecified-bo(55416)

Hyperlink:http://xforce.iss.net/xforce/xfdb/55416

External Source: CONFIRM

Name: http://www.yassl.com/release.html

Hyperlink:http://www.yassl.com/release.html

External Source: CONFIRM

Name: http://www.yassl.com/news.html#yassl199

Hyperlink:http://www.yassl.com/news.html#yassl199

External Source: VUPEN

Name: ADV-2010-0236

Hyperlink:http://www.vupen.com/english/advisories/2010/0236

External Source: VUPEN

Name: ADV-2010-0233

Hyperlink:http://www.vupen.com/english/advisories/2010/0233

External Source: BID

Name: 37974

Hyperlink:http://www.securityfocus.com/bid/37974

External Source: BID

Name: 37943

Hyperlink:http://www.securityfocus.com/bid/37943

External Source: BID

Name: 37640

Hyperlink:http://www.securityfocus.com/bid/37640

External Source: OSVDB

Name: 61956

Hyperlink:http://www.osvdb.org/61956

External Source: MISC

Name: http://www.metasploit.com/modules/exploit/linux/mysql/mysql_yassl_getname

Hyperlink:http://www.metasploit.com/modules/exploit/linux/mysql/mysql_yassl_getname

External Source: MISC

Name: http://www.intevydis.com/blog/?p=57

Hyperlink:http://www.intevydis.com/blog/?p=57

External Source: MISC

Name: http://www.intevydis.com/blog/?p=106

Hyperlink:http://www.intevydis.com/blog/?p=106

External Source: DEBIAN

Name: DSA-1997

Hyperlink:http://www.debian.org/security/2010/dsa-1997

External Source: UBUNTU

Name: USN-897-1

Hyperlink:http://ubuntu.com/usn/usn-897-1

External Source: SECTRACK

Name: 1023513

Hyperlink:http://securitytracker.com/id?1023513

External Source: SECTRACK

Name: 1023402

Hyperlink:http://securitytracker.com/id?1023402

External Source: SECUNIA

Name: 38573

Hyperlink:http://secunia.com/advisories/38573

External Source: SECUNIA

Name: 38517

Hyperlink:http://secunia.com/advisories/38517

External Source: SECUNIA

Name: 38364

Hyperlink:http://secunia.com/advisories/38364

External Source: SECUNIA

Name: 38344

Hyperlink:http://secunia.com/advisories/38344

External Source: SECUNIA

Name: 37493

Hyperlink:http://secunia.com/advisories/37493

External Source: MLIST

Name: [commits] 20100113 bzr commit into mysql-5.0-bugteam branch (ramil:2838) Bug#50227

Hyperlink:http://lists.mysql.com/commits/96697

External Source: MLIST

Name: [dailydave] 20100126 New db bugs

Hyperlink:http://lists.immunitysec.com/pipermail/dailydave/2010-January/006020.html

External Source: MISC

Name: http://isc.sans.org/diary.html?storyid=7900

Hyperlink:http://isc.sans.org/diary.html?storyid=7900

External Source: MISC

Name: http://intevydis.com/mysql_overflow1.py.txt

Hyperlink:http://intevydis.com/mysql_overflow1.py.txt

External Source: MISC

Name: http://intevydis.com/mysql_demo.html

Hyperlink:http://intevydis.com/mysql_demo.html

External Source: MISC

Name: http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html

Hyperlink:http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html

External Source: CONFIRM

Name: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html

Hyperlink:http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html

External Source: CONFIRM

Name: http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html

Hyperlink:http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html

External Source: CONFIRM

Name: http://bugs.mysql.com/bug.php?id=50227

Hyperlink:http://bugs.mysql.com/bug.php?id=50227

External Source: CONFIRM

Name: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1

Hyperlink:http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1

External Source: MLIST

Name: [dailydave] 20100106 0day demos

Hyperlink:http://archives.neohapsis.com/archives/dailydave/2010-q1/0002.html