Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

MySQL Authentication Flaw Easy to Exploit, Researchers Say

Researchers are warning organizations that a recently-fixed authentication vulnerability in MySQL is simple to exploit.

The authentication bypass, called “tragically comedic” by Rapid7’s HD Moore, also affects MariaDB and was fixed in recent versions of both products.

Researchers are warning organizations that a recently-fixed authentication vulnerability in MySQL is simple to exploit.

The authentication bypass, called “tragically comedic” by Rapid7’s HD Moore, also affects MariaDB and was fixed in recent versions of both products.

“This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character),” explained Moore, chief security officer at Rapid7. “On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that any password would be accepted for authentication.”

Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built, MariaDB Security Coordinator Sergei Golubchik explained on the Full Disclosure mailing list.

“A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe,” he explained. “Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.”

According to Moore, statistics compiled in a research project he is involved in underscore how many organizations could be in danger if they are running vulnerable instances of MySQL. As part of the project, Moore said he was able to find and gather the initial handshake for roughly 1.74 million MySQL servers on the Internet. Of the 1.74 million, more than half failed to enforce host-based access controls.

“The first rule of securing MySQL is to not expose to the network at large in the first place,” Moore blogged. “Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.”

“If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system,” he continued. “Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the “bind-address” parameter to “127.0.0.1”. Restart the MySQL service to apply this setting.”

Advertisement. Scroll to continue reading.

Joshua Drake, a researcher with Accuvant Labs, has provided a sample application that can be used to determine if a system is affected.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.