Researchers are warning organizations that a recently-fixed authentication vulnerability in MySQL is simple to exploit.
The authentication bypass, called “tragically comedic” by Rapid7’s HD Moore, also affects MariaDB and was fixed in recent versions of both products.
“This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character),” explained Moore, chief security officer at Rapid7. “On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that any password would be accepted for authentication.”
Whether a particular build of MySQL or MariaDB is vulnerable, depends on how and where it was built, MariaDB Security Coordinator Sergei Golubchik explained on the Full Disclosure mailing list.
“A prerequisite is a memcmp() that can return an arbitrary integer (outside of -128..127 range). To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe,” he explained. “Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version.”
According to Moore, statistics compiled in a research project he is involved in underscore how many organizations could be in danger if they are running vulnerable instances of MySQL. As part of the project, Moore said he was able to find and gather the initial handshake for roughly 1.74 million MySQL servers on the Internet. Of the 1.74 million, more than half failed to enforce host-based access controls.
“The first rule of securing MySQL is to not expose to the network at large in the first place,” Moore blogged. “Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.”
“If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system,” he continued. “Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the “bind-address” parameter to “127.0.0.1”. Restart the MySQL service to apply this setting.”
Joshua Drake, a researcher with Accuvant Labs, has provided a sample application that can be used to determine if a system is affected.