Description

Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent.

Affected versions:

  • All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
  • MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
  • MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

Remediation

Upgrade to the latest version of MySQL.

References

Security vulnerability in MySQL/MariaDB sql/password.c

CVE-2012-2122 : Serious Mysql Authentication Bypass Vulnerability

Related Vulnerabilities

WordPress Plugin Metform Elementor Contact Form Builder-Flexible and Design-Friendly Contact Form builder for WordPress Security Bypass (3.3.0)

TeamCity Authentication Bypass (CVE-2024-27199)

WordPress Plugin Responsive Image Slider, Photo Gallery And Carousel Security Bypass (1.3.5)

WordPress Plugin UserPro-Community and User Profile Security Bypass (4.9.17)

WordPress Plugin Thrive Apprentice Security Bypass (2.3.9.3)

Severity

High

Classification

CVE-2012-2122 CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Authentication Bypass