When the latest release of MariaDB was announced in April by MontyProgram AB founder and MySQL creator Michael “Monty” Widenius, it came with a warning from Widenius that a severe security bug had been discovered in previous versions of both MariaDB and MySQL. Oracle subsequently released a patch for MySQL. Now the details of the flaw, and the extent of the vulnerability, have been revealed: it could allow anyone who knows a valid user account on the database to connect using any password with a brute-force attack.
The affected versions of both databases have a flaw in their authentication system caused by a variation in how the memcmp() function—which compares two values stored in memory to see if they are equal—is implemented in some Linux compilers. When a user connects to the database and submits a password, the authentication system of the databases creates a token from the submitted password using a Secure Hash Algorithm and a randomly generated string of text as the key. The resulting token is compared to a hash made from the stored password in the system using the memcmp function, which returns a value of zero if they’re the same; if they’re not, the function is supposed to return a positive or negative integer. A return of “0” would mean the password is correct.
But in the affected versions of MariaDB and MySQL, as MontyProgram’s Sergei Golubchik wrote in a list posting on June 9, the database can be fooled into accepting a password even if it doesn’t match. “Because of incorrect [type] casting [in the code],” he wrote, “it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case, MySQL/MariaDB would think that the password is correct even while it is not.”
See original article:
Security flaw in MySQL, MariaDB allows access with any password—just keep submitting it
