Researchers are warning organizations that a recently-fixed authentication vulnerability in MySQL is simple to exploit.
The authentication bypass, called “tragically comedic” by Rapid7’s HD Moore, also affects MariaDB and was fixed in recent versions of both products.
“This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character),” explained Moore, chief security officer at Rapid7. “On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that any password would be accepted for authentication.”
Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built, MariaDB Security Coordinator Sergei Golubchik explained on the Full Disclosure mailing list.
“A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe,” he explained. “Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.”
According to Moore, statistics compiled in a research project he is involved in underscore how many organizations could be in danger if they are running vulnerable instances of MySQL. As part of the project, Moore said he was able to find and gather the initial handshake for roughly 1.74 million MySQL servers on the Internet. Of the 1.74 million, more than half failed to enforce host-based access controls.
“The first rule of securing MySQL is to not expose to the network at large in the first place,” Moore blogged. “Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.”
“If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system,” he continued. “Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the “bind-address” parameter to “127.0.0.1”. Restart the MySQL service to apply this setting.”
Joshua Drake, a researcher with Accuvant Labs, has provided a sample application that can be used to determine if a system is affected.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Russian Millionaire on Trial in Hack, Insider Trade Scheme
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
