Kaspersky Labs reported this vulnerability in its Threat Post (). Sergei Golubchick, MariaDB security coordinator, published the full notice of the security issue to SecLists.org. The issue concerns MariaDB. The security bulletin notes that all MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6 and 5.5.23 are not vulnerable. Likewise, if you’re using a MySQL version from 5.1.63, 5.5.24 or 5.5.6, you’re protected from this issue.
The security weakness takes advantage of a mistake in the way that MySQL and MariaDB handle passwords. Basically, when a user connects to MariaDB/MySQL, a token is calculated and compared with the expected value. Because of incorrect casting, it can happen that the token and the expected value may be considered equal, even if the memcmp() returned a non-zero value. That would lead MySQL/MariaDB to think the password is correct, even when it isn’t.
So here’s the problem: since the password protocol uses random strings, and it’s assumed that the memcmp() function will always return a value within the range -127 through 127, there’s a one in 256 chance of hitting this bug. A malicious hacker who knows a user name with which to connect (such as “root”) and a simple tool that repeatedly loads passwords can crack in pretty quickly. As Golubchik noted, with such a tool, getting the approximately 300 password attempts required to break in “takes only a fraction of a second, so basically account password protection is as good as nonexistent.”
If your system is affected, please don’t hesitate in fixing it. There’s already a Metasploit available; this is worth reading just for the additional details on the mechanism behind the security vulnerability. Fortunately, the Linux community is on top of this; several Linux distributions that include versions of the vulnerable databases have pushed out patches for it. Also, the Metasploit goes into detail as to what you need to do to prevent hackers from getting into your MySQL installation via this route.
How widespread is this security issue? HD Moore, who posted the Metasploit, found 1.74 million MySQL servers via handshake across the Internet at large. A little more than half did not enforce host-based access controls (879,046 vs 863,920). Breaking down accessible servers by version and build flavor, he easily identified nearly 44,000 running Ubuntu. “Knowing that most Ubuntu 64-bit builds are likely to be vulnerable, the real question is how many of nearly 44,000 Ubuntu systems are running 64-bit editions of the operating system,” Moore observed.
Here’s the really scary part from the Metasploit: “If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come. One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored ‘loot’ file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access.” So don’t hesitate; seek out the patches appropriate to your system and get them in place as soon as you can.