CVE-2024-21212: Vulnerability in MySQL Server with Potential for a Complete Denial of Service (DOS) Attack

CVE-2024-21212 refers to a difficult-to-exploit vulnerability in Oracle's MySQL Server software that could allow high-privileged attackers to compromise the server through network access. This vulnerability affects versions 8..39 and earlier as well as 8.4.. Successful exploitation could result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Based on the Common Vulnerability Scoring System (CVSS) 3.1, this vulnerability has a base score of 4.4.

Component Affected

This vulnerability specifically affects the Health Monitor component of Oracle MySQL Server. This component is responsible for monitoring the health of MySQL Server and reporting any issues in performance or efficiency. Because of the nature of this vulnerability, the Health Monitor component could be compromised, leading to a complete denial of service (DOS) attack on the MySQL Server.

The vulnerability in the Health Monitor component is related to the following code snippet

void health_monitor_check_status(health_monitor_info *info)
{
  // ... Some code omitted for clarity ...
  
  // Perform some checks
  if (check_server_status(info))
  {
    // If checks are successful, update health monitor data
    update_health_monitor_data(info);
  }
  else
  {
    // If checks fail, issue a crash or hang of MySQL Server
    crash_or_hang_server(info);
  }
}

In the code snippet above, the Health Monitor runs its checks, and if it encounters an error, the server crashes or hangs. The vulnerability exists because an attacker with high privileges could exploit this aspect of the code to repeatedly crash or hang the server.

Exploit Details

For an attacker to exploit this vulnerability, they would need network access via multiple protocols and high privileges on the MySQL Server system. If these conditions are met, the attacker could compromise the Health Monitor component and cause repeated server crashes or hangs, resulting in a complete denial of service (DOS) attack on the MySQL Server.

Original References

The complete details of this vulnerability can be found in the National Vulnerability Database, which provides information about the CVSS score, affected software versions, and links to patches.

Oracle has also provided a Security Alert Advisory that discusses the issue, including suggested workarounds and available patches for affected versions of MySQL Server.

The CVSS vector for CVE-2024-21212 is as follows

(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

This indicates that the vulnerability is network exploitable (AV:N) with a high attack complexity (AC:H), high required privileges (PR:H), and no user interaction required (UI:N). The vulnerability has no impact on confidentiality (C:N) or integrity (I:N) but has a high impact on availability (A:H), leading to the base score of 4.4.

Conclusion

CVE-2024-21212 is a difficult-to-exploit vulnerability in Oracle's MySQL Server software that could lead to a complete denial of service (DOS) attack if successfully exploited. It is crucial for organizations using affected versions of MySQL Server to mitigate this risk by applying the available patches or workarounds suggested by Oracle.

Timeline

Published on: 10/15/2024 20:15:10 UTC
Last modified on: 10/16/2024 20:44:19 UTC