New MySQL-Related Default Insecurity Affects 7500+ Apps
Allows for Authentication Bypass & Data Leaks
This week, an anonymous researcher discovered and reported an issue with the SphinxSearch application used with MySQL databases:
“TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible.”
Finding affected SphinxSearch apps in Censys
So what could we find in our global Internet data to determine how many are affected by this issue?
TL;DR: 7,576 MySQL databases are using a default setting in the SphinxSearch application that allows for authentication bypass & data leaks
By searching our lightweight banners data set via Google BigQuery, we connected to port 9306, used exclusively for SphinxSearch, and turned that data into plain text so we could search for strings that indicate a SphinxSearch connection. Note that Port 9306 hosts the SphinxSearch application and native API.
We also found that of those affected devices, the majority were hosted in Russia, followed by the United States:
Enterprise customers can use the following BigQuery search to find exposed applications:
SELECT * FROM (
SELECT ip, SAFE_CONVERT_BYTES_TO_STRING(svcs.banner) as banner
FROM `censys-pipeline.ipv4_banners.20190819`, UNNEST(services) AS svcs
WHERE svcs.port_number = 9306
AND SAFE_CONVERT_BYTES_TO_STRING(svcs.banner) NOT LIKE 'HTTP/1.%')
WHERE (banner LIKE '%-id64-%'
OR banner LIKE '%-release%'
OR banner LIKE '%commit%'
OR banner LIKE '%mysql_%')
AND banner NOT LIKE '%mysql_native_password%'
AND banner NOT LIKE '%mysqladmin%
The following screenshot includes some comments about how we performed the search that we hope will be useful to our users:
How to secure affected Sphinx apps
Luckily, the researcher also included the fix, and shows readers how to change the problematic default setting:
“Just go to your SphinxSearch configuration and edit the listen variable to include only localhost or put a (host) firewall like iptables in front of your installation.”
Also included in the original post are some helpful screenshots describing the vulnerability and the fix.
Make sure to follow us on Twitter @censysio to see more findings like these. We’d also love to hear how you’re using our data, so don’t forget to tag us when you post about your research and findings!