MySQL/MariaDB user verification Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
MySQL AB MySQL <5.6.6
MySQL AB MySQL <5.5.24
MySQL AB MySQL <5.1.63
MariaDB <5.5.23
MariaDB <5.3.6
MariaDB <5.2.12
MariaDB <5.1.62
Description:
--------------------------------------------------------------------------------
Cve id: CVE-2012-2122

MariaDB is a database server that provides accidental replacement for MySQL. MySQL is an open source database.

Versions earlier than MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23, and MySQL 5.1.63, 5.5.24, and 5.6.6 have security vulnerabilities in user verification, attackers can log on to the MySQL server without knowing the correct password.

After the user connects to MariaDB/MySQL, the application calculates and compares the token value. due to incorrect conversion, even if memcmp () returns a non-zero value, an error comparison may occur, mySQL/MariaDB mistakenly believes that the password is correct because the protocol uses a random string and the probability of this Bug is 1/256. Whether the MySQL version is affected depends on the Compilation Method of the program. Many versions (including official binary files) are not affected by this vulnerability.

<* Source: Sergei Golubchik

Link: http://seclists.org/oss-sec/2012/q2/493
Http://pastie.org/4064638

*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Sergei Golubchik () provides the following test methods:

# Include <stdio. h>
# Include <stdlib. h>

Int main (void ){
Int one, two, ret;
Time_t start = time (0 );
Time_t now;

Srand (getpid () * start );
While (1 ){
One = rand ();
Two = rand ();
Ret = memcmp (& one, & two, sizeof (int ));
If (ret <-128 | ret> 127)
Break;
Time (& now );
If (now-start> 10 ){
Printf ("Not triggered in 10 seconds, * probably * not vulnerable... \ n ");
Return 1;
}
}
Printf ("Vulnerable! Memcmp returned: % d \ n ", ret );
Return 0;
}

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Configure MySQL or related networks to only allow access from trusted sources.

Vendor patch:

MySQL AB
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.mysql.com/

MariaDB
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://mariadb.org/