Modernizing Authentication — What It Takes to Transform Secure Access
"When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value," Golubchik writes. "Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256."
As a result, anyone with a correct user name can connect successfully using any password after repeated attempts. "~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," Golubchik writes.
"Thankfully, however, just because the vulnerable code is contained in a database that uses MySQL or MariaDB code doesn't necessarily mean the database is at risk," writes InformationWeek's Mathew J. Schwartz. "'Although a wide range of MySQL and MariaDB versions use the vulnerable code, only some of these systems are exploitable,' said Metasploit founder, developer, and researcher H.D. Moore, in a blog post that includes workarounds for mitigating the vulnerability in exploitable systems."
"Based on contributed reports, vulnerable systems include Ubuntu Linux 64-bit versions 10.04, 10.10, 11.04, 11.10, and 12.04, as well as OpenSuSE 12.1 with 64-bit MySQL 5.5.23-log and Fedora," writes FierceCIO's Paul Mah. "The simplicity of the attack and the availability of exploit code mean that administrators should regard this as a priority."