MySQL Flaw Grants Database Access to Users With Wrong Passwords
Researchers are warning organizations to address a recently-patched authentication bypass vulnerability affecting MySQL databases.
Calling the issue "tragically comedic," Rapid7's HD Moore explained that the flaw allows for any password to be accepted even if it not the right one.
"This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character)," blogged Moore, chief security officer at Rapid7. "On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that any password would be accepted for authentication."
The issue also impacts some versions of MariaDB, a community-developed branch of MySQL. Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built, MariaDB Security Coordinator Sergei Golubchik explained on the Full Disclosure mailing list.
"A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe," he explained. "Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version."
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. Researchers are urging organizations to apply the patch if they have not done so already.
According to Moore, statistics compiled in a research project he is involved in underscore how many organizations could be in danger if they are running vulnerable instances of MySQL. As part of the project, Moore said he was able to find and gather the initial handshake for roughly 1.74 million MySQL servers on the Internetmore than half of which failed to enforce host-based access controls.
"The first rule of securing MySQL is to not expose to the network at large in the first place," Moore blogged. "Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control."
"If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system," he continued. "Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the "bind-address" parameter to '127.0.0.1.' Restart the MySQL service to apply this setting."