MySQL Denial of Service Vulnerabilities

September 9, 2010

MySQL is an open-source relational database which supports SQL. The database has a number of built-in SQL functions which are designed to help users with the task of querying and updating data. MySQL uses the MySQL protocol to communicate with clients over the network. By default, MySQL server listens for connections on TCP port 3306.

Two different denial-of-service vulnerabilities exist in MySQL server. The first vulnerability is due to an error while handling joins involving a table with a unique SET column. When one uses LIKE function to query specially joined tables, the LIKE function will fail. The second vulnerability is due to errors while performing comparisons in IN and CASE functions. Specifically, MySQL does not properly handle cases when one of the compared values is NULL. MySQL databases prior to version 5.1.49 are prone to these vulnerabilities.

A remote attacker can exploit these vulnerabilities by sending crafted queries to the target server. Successful exploitation would cause the database server to terminate abnormally, resulting in the denial-of-service condition. The impact of the vulnerabilities is mitigated by the requirement of a successful authentication.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting these vulnerabilities. The signatures are listed below:

  • 5572 MySQL Unique SET Column Join DoS 1
  • 5573 MySQL Unique SET Column Join DoS 2
  • 5672 MySQL IN and CASE DoS 1
  • 5673 MySQL IN and CASE DoS 2
  • 5674 MySQL IN and CASE DoS 3