Wrong service detection (MySQL, manticoresearch)

GSA detects manticoresearch services (manticoresearch com) 9306-9307/tcp like MySQL servers.
It follows to many false alerts about vulnurable versions.

Looks like GSA greps manticoresearch tcp answer (“5.0.0 … mysql_native_password:”) and decides that it’s MySQL server with the version 5.0.0.

I don’t know why, because native Nmap (7.93, “-sS -sV -p 9307 --version-all”) doesn’t detect it like MySQL server.

Technically speaking the detection itself looks correct. Manticore started as fork of the Spinx 2.x search service and Sphinx offers the following functionality:

Sphinx searchd daemon supports MySQL binary network protocol and can be accessed with regular MySQL API

Sphinx | Open Source Search Server

The same applies with a high chance to Manticore as well and tus the service in question is currently correctly detected as a MySQL service.

From a vulnerability test perspective the service indeed could be detected as a Manticore service so that MySQL tests working on a version of MySQL are not running against / reporting for an unaffected different product.

This could be handled for Manticore in a similar way then sw_sphinxsearch_detect.nasl / mysql_version.nasl for Sphinx.

I will create an internal task for this improvement but (unfortunately) don’t see that this will be done anytime soon so the following would be required:

  • Some community contributions on this topic
  • Creating overrides for the MySQL results on the system in question until the improvement have been made
3 Likes