Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2012

MA-316.062012 : MyCERT Alert - Critical Vulnerability in MySQL and MariaDB

Date first published: 2012-06-11

1.0 Introduction

A critical vulnerability has been reported in MySQL and MariaDB database server, which can be exploited and allow a remote attacker to connect using any password by repeating connection attempts. [1]

This vulnerability exist due to a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Due to the incorrect casting, it might have happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL and MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. [2]

2.0 Impact

By exploiting this vulnerability, it allows a remote attacker to login with a valid username using any password by repeating connection attempts.

3.0 Affected Products

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not vulnerable.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not vulnerable.

Note: A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). According to MariaDB Security Coordinator, gcc built-in memcmp is safe and BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.

4.0 Recommendation

MyCERT recommends system administrator of these applications to upgrade to the latest version via package manager or official update. The official update can be obtained fron the following URL:

MySQL: http://www.mysql.com/downloads/
MariaDB: http://downloads.mariadb.org/mariadb/

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. For any enquiries, MyCERT can be reached through the following channels:

E-mail : cyber999@cybersecurity.my or mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

i. http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17#sql/password.c
ii. http://seclists.org/oss-sec/2012/q2/493
iii. http://downloads.mariadb.org/mariadb/
iv. http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144
v. https://mariadb.atlassian.net/browse/MDEV-212