Description
-
Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might've
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not. Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.
Which means, if one knows a user name to connect (and "root" almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent.
Affected versions:
- All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
- MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
- MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
Remediation
- Upgrade to the latest version of MySQL.
References
Severity
Classification
Tags
Related Vulnerabilities
- WordPress Plugin Student Result or Employee Database Security Bypass (1.6.3)
- WordPress Plugin Ajax Search Pro Security Bypass (3.5)
- WordPress Plugin Google Captcha (reCAPTCHA) by BestWebSoft Security Bypass (1.12)
- Adobe ColdFusion 9 administrative login bypass
- Drupal Core 4.6.x Security Bypass (4.6.0 - 4.6.5)