A serious security vulnerability found in MySQL/MariaDB

  Peter        2012-06-11 10:28:09       5,698        0    

Recently a serious security vulnerability was found in MySQL/MariaDB. It relates to the access to the database. The issue is described below.

When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not.  Because the protocol uses random strings, the probability of hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Any client will do, there's no need for a special libmysqlclient library.

According to Sergei Golubchik, the affected MySQL/MariaDB version are All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22.

For the detailed bug description and patches for the bug. Please visit SECLISTS.ORG. Hope people who are using the above mentioned MySQL/MariaDB versions to fix the bug as soon as possible.

MYSQL  MARIADB  BUG  FIX  PASSWORD  MEMCMP() 

       

  RELATED


  0 COMMENT


No comment for this article.



  RANDOM FUN

After Microsoft acquires Github