Simple authentication bypass for MySQL root revealed - Update
Exploits for a recently revealed MySQL authentication bypass flaw are now in the wild, partly because the flaw is remarkably simple to exploit in order to gain root access to the database. The only mitigating factor appears to be that it depends on the C library that the MySQL database was built with. The bypass, assigned the vulnerability ID CVE-2012-2122, allows an attacker to gain root access by repeatedly trying to log in with an incorrect password. Each attempt has a 1 in 256 chance of being given access. The exploits are mostly variations of looping through connecting to MySQL with a bad password around 300 to 512 times.
The vulnerability, which was detailed in a posting by MariaDB security coordinator Sergei Golubchik, is due to a casting error when checking the results of comparing (with the memcmp function) the password given and the expected password. "Basically account password protection is as good as nonexistent", says Golubchik, adding "Any client will do, there's no need for a special libmysqlclient library". Vulnerable versions of MySQL and MariaDB are those compiled with libraries that return integers outside the -128 to 127 range for
memcmp. According to Golubchik the gcc built in
memcmp and BSD libc
memcmp are safe, but the linux glibc sse-optimised memcmp is not safe.
He also believes that official vendor builds of MySQL or MariaDB are not vulnerable, but that all versions, up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22, are potentially vulnerable. Oracle fixed the problem in MySQL, bug id 64884, with MySQL 5.1.63 and 5.5.24, both of which were released over a month ago. The applied fix is a single line change; a similar patch is available for MariaDB source. Linux vendors are expected to be providing fixed versions of their MySQL builds soon.
Calling the flaw "tragically comedic", security expert HD Moore has a posting in which he details where MySQL is vulnerable. So far, 64-bit versions of Ubuntu Linux (10.04, 10.10, 11.04, 11.10 and 12.04), OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have been found to have vulnerable MySQL releases. Debian, RHEL, CentOS and Gentoo, among others, have been found not to be vulnerable. Moore reminds administrators that they should restrict network access to their MySQL databases to only systems that are secure and absolutely require it. Moore also noted that there was now a Metasploit module which used the vulnerability to retrieve all the server's passwords.
Update (12/6/2012) – The Ubuntu developers have moved to release updates to all versions of Ubuntu's MySQL database to close the password authentication hole that was revealed over the weekend. The security notice says that Ubuntu 12.04 LTS, 11.10, 11.04, 10.04 LTS and 8.04 LTS are all having their MySQL release updated. Ubuntu 12.04 LTS is being updated to 5.5.24, while 8.0.4 LTS is having a patch backported to its MySQL 5.0 database; all other versions are being updated to MySQL 5.1.63.