MA-316.062012 : MyCERT Alert - Critical Vulnerability in MySQL and MariaDB
Date first published: 2012-06-11
A critical vulnerability has been reported in MySQL and MariaDB database server, which can be exploited and allow a remote attacker to connect using any password by repeating connection attempts. 
This vulnerability exist due to a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Due to the incorrect casting, it might have happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL and MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. 
By exploiting this vulnerability, it allows a remote attacker to login with a valid username using any password by repeating connection attempts.
3.0 Affected Products
- All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
- MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not vulnerable.
- MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not vulnerable.
Note: A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). According to MariaDB Security Coordinator, gcc built-in memcmp is safe and BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.
MyCERT recommends system administrator of these applications to upgrade to the latest version via package manager or official update. The official update can be obtained fron the following URL:
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. For any enquiries, MyCERT can be reached through the following channels:
E-mail : email@example.com or firstname.lastname@example.org
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT