A serious security vulnerability has been found in MySQL and MariaDB that allows a remote attacker to gain root access to a database if they attempted to login (with the wrong password) around 256 times. The vulnerability, which was disclosed by Sergei Golubchik – the MariaDB Security Coordinator, occurs because some versions of memcmp() can return an arbitrary integer (outside of the normal -128 to 127 range).
The problem is that when a user connects to MySQL or MariaDB, a hash of the password is used and compared with the sent password. But, because of a casting bug, sometimes the token and the expected password are considered equal even when they are not. This can happen if memcmp() returns a non-zero value. Because the authentication protocol uses random strings, the probability of hitting this bug is about 1 in 256.
HD Moore, creator of Metasploit, has provided a simple one line bash script which will provide access to an affected MySQL server as the root user account, without actually knowing the password.
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
Of course to run the script you need to have shell access to the machine in question. All MySQL and MariaDB versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not affected. Neither are MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23.
Some good news
This is of course a massive security hole and Moore reckons that about 50 percent of Internet servers are vulnerable to the attack. However for systems which don’t open the MySQL port to the Internet then attackers won’t be able to access the MySQL database at all. Also many versions of Linux aren’t vulnerable due to the version of memcmp() they use. Since memcmp is part of the standard C library there are a variety of implementations. The gcc builtin version of memcmp() is safe, memcmp() in BSD’s libc is also safe. However Linux distributions that use glibc with sse-optimizations is not safe.
This means that the following version of Linux are vulnerable:
It is worth noting that official builds of MySQL and MariaDB (including the Windows versions) are not vulnerable and that Red Hat Enterprise Linux 4, 5, and 6 and CentOS are also unaffected. Also the 32-bit versions of Ubuntu are not affected.