Attacks on a MySQL authentication bypass flaw are now in the wild, partly because it is simple to exploit in order to gain root access to the database.
The only mitigating factor appears to be it depends on which C library the MySQL database uses. The bypass, assigned the vulnerability ID CVE-2012-2122, allows an attacker to gain root access by repeatedly trying to log in with an incorrect password. Each attempt has a 1 in 256 chance of getting access. The exploits are mostly variations of looping through connecting to MySQL with a bad password around 300 to 512 times.
The vulnerability, detailed by MariaDB security coordinator Sergei Golubchik, is due to a casting error when checking the results of comparing (with the memcmp function) the password given and the expected password. “Basically account password protection is as good as nonexistent”, said Golubchik, adding “Any client will do, there’s no need for a special libmysqlclient library”. Vulnerable versions of MySQL and MariaDB are those compiled with libraries that return integers outside the -128 to 127 range for memcmp. According to Golubchik the gcc built in memcmp and BSD libc memcmp are safe, but the linux glibc sse-optimized memcmp is not safe.
He also said official vendor builds of MySQL or MariaDB are not vulnerable, but that all versions, up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22, are potentially vulnerable. Oracle fixed the problem in MySQL, bug id 64884, with MySQL 5.1.63 and 5.5.24, both released over a month ago. The applied fix is a single line change; a similar patch is available for MariaDB source. Linux vendors will provide fixed versions of their MySQL builds soon.
Calling the flaw “tragically comedic”, security expert HD Moore has a posting in which he details where MySQL is vulnerable. So far, 64-bit versions of Ubuntu Linux (10.04, 10.10, 11.04, 11.10 and 12.04), OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have vulnerable MySQL releases. Debian, RHEL, CentOS and Gentoo, among others, are not vulnerable.
Ubuntu developers released updates to all versions of Ubuntu’s MySQL database to close the password authentication hole. Ubuntu 12.04 LTS, 11.10, 11.04, 10.04 LTS and 8.04 LTS are all having their MySQL release updated. Ubuntu 12.04 LTS updated to 5.5.24, while 8.0.4 LTS is having a patch backported to its MySQL 5.0 database; all other versions updated to MySQL 5.1.63.