Skip to content
New Ebook: Get your copy of the Unleash the Power of Censys Search Handbook today! | Download Now
Blogs

New MySQL-Related Default Insecurity Affects 7500+ Apps

Posted on August 21st, 2019

Allows for Authentication Bypass & Data Leaks

This week, an anonymous researcher discovered and reported an issue with the SphinxSearch application used with MySQL databases:

“TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible.”

The full report is available here.

Finding affected SphinxSearch apps in Censys

So what could we find in our global Internet data to determine how many are affected by this issue?


TL;DR: 7,576 MySQL databases are using a default setting in the SphinxSearch application that allows for authentication bypass & data leaks


By searching our lightweight banners data set via Google BigQuery, we connected to port 9306, used exclusively for SphinxSearch, and turned that data into plain text so we could search for strings that indicate a SphinxSearch connection. Note that Port 9306 hosts the SphinxSearch application and native API.

We also found that of those affected devices, the majority were hosted in Russia, followed by the United States.

Enterprise customers can use the following BigQuery search to find exposed applications:

 SELECT * FROM (

   SELECT ip, SAFE_CONVERT_BYTES_TO_STRING(svcs.banner) as banner

   FROM `censys-pipeline.ipv4_banners.20190819`, UNNEST(services) AS svcs

   WHERE svcs.port_number = 9306

     AND SAFE_CONVERT_BYTES_TO_STRING(svcs.banner) NOT LIKE 'HTTP/1.%')

WHERE (banner LIKE '%-id64-%'

      OR banner LIKE '%-release%'

      OR banner LIKE '%commit%'

      OR banner LIKE '%mysql_%')

 AND banner NOT LIKE '%mysql_native_password%'

 AND banner NOT LIKE '%mysqladmin%

How to secure affected Sphinx apps

Luckily, the researcher also included the fix, and shows readers how to change the problematic default setting:

“Just go to your SphinxSearch configuration and edit the listen variable to include only localhost or put a (host) firewall like iptables in front of your installation.”

Also included in the original post are some helpful screenshots describing the vulnerability and the fix.

Make sure to follow us on Twitter @censysio to see more findings like these. We’d also love to hear how you’re using our data, so don’t forget to tag us when you post about your research and findings!

Attack Surface Management Solutions
Learn more