LWN.net Logo

Advertisement

Startup?

Free copy of The Founder's Checklist and The Founders Pitch Deck Template from M L Bittle - New York; Advisor/Coach.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

MySQL flaw leaves some systems wide open

By Jake Edge
June 13, 2012

For all their faults, passwords are the dominant means of authentication used by computers and applications today. That makes it a little disconcerting to see reports of various longstanding bugs in password handling recently. Obviously it's good that they are being fixed, but it does make one wonder about how much testing we are doing of this critical link in authentication.

Most of the recent password problems (e.g. the multi-package Crypt-DES vulnerability) don't rise to the level of the MySQL/MariaDB flaw reported on June 9, however. Due to an incorrect cast of the return value from memcmp(), the wrong password will be accepted for an existing account with a probability of 1/256. That means that with a fairly small number of tries, an attacker can gain access to a MySQL database server if they know a valid account name (and "root" almost always exists).

While the problem is serious, it is not as bad as it might at first appear. First, it only affects MySQL and MariaDB packages that have been built in a certain way, specifically with GCC using the SSE (Streaming SIMD Extensions) optimization. In that case, memcmp() can return values outside the range of a signed character (-128 to 127) and the MySQL code will sometimes treat that as a password match—even if it isn't. The return value from memcmp() is cast to a char, so if the value has a low-order zero byte (which happens 1/256 of the time), it is seen as a match. While it is the SSE optimization that shows the flaw, assuming that memcmp() will always return values in that range is clearly a bug.

Based on the report and an analysis by HD Moore, it would seem that it is only some Linux distributions that are affected. The official builds from the projects are not vulnerable, and only certain (mostly 64-bit) distributions are vulnerable (Ubuntu, openSUSE, Debian unstable, Fedora, and Arch Linux, according to Moore).

Any affected MySQL server is locally exploitable, but the server must be listening on an external interface for it to be remotely exploitable. Moore did a survey of exposed servers to try to determine the impact of the problem. Without actually trying to log in, it is difficult to get a full accounting, but it is clear that there are at least tens of thousands of affected systems out there listening on the internet.

Sergei Golubchik discovered the bug in MariaDB on April 4 and reported it to MySQL on April 6. It was fixed in MariaDB on April 4, and MySQL followed suit right after the report.

Oracle released a MySQL update as part of its April critical patch update, but makes no mention of the problem (it does list six other CVEs addressed), so either it was silently fixed or is not present there. The release notes for MySQL 5.5.24 and 5.1.63 do mention a security fix for bug 64884, but the bug was presumably still private at that point. MariaDB released several versions on April 6 with the fix as shown in its bug report.

Given that the code was fixed in various public repositories and released much earlier, it is unclear why the details were withheld until recently. Also, it would seem that the Linux distributions—those most affected by the bug—did not release updates in the interim. As of this writing, only Ubuntu has released a security update for the problem. That's a little puzzling as Red Hat was clearly aware of the problem and requested a CVE on April 20, though RHEL is believed to be unaffected. Fedora and other distribution updates seem like they should be coming soon.

While the PostgreSQL/PHP/BSD Crypt-DES flaw only affected users who chose to use a particular authentication scheme, this MySQL flaw is more wide-ranging. In both cases, though, some amount of password fuzz testing would have spotted the problems in short order. It would seem that kind of testing isn't being done with any frequency in some of our communities, which could lead to rather serious bugs that aren't detected for long periods of time.

One guesses that "everyone" thinks the password handling code has been shaken out since it is such an important part of the authentication path, but these bugs show that isn't always the case. This problem has existed in MySQL going back to at least 5.1 (which was released in beta in 2005) and the Crypt-DES flaw goes back further than that. It is certainly not just database systems that are affected by these kinds of flaws, one hopes that other applications and systems that use passwords are either already fuzz testing or will be doing so soon.

(Log in to post comments)

RHEL not affected

Posted Jun 14, 2012 2:34 UTC (Thu) by dowdle (subscriber, #659) [Link]

According to this page, RHEL is not affected:

https://archive.redhat.com/security/data/cve/CVE-2012-212...

RHEL not affected

Posted Jun 15, 2012 9:56 UTC (Fri) by mjcox@redhat.com (subscriber, #31775) [Link]

link above should be https://access.redhat.com/security/cve/CVE-2012-2122

(the archive.redhat.com links are invalid and should get removed soon)

MySQL flaw leaves some systems wide open

Posted Jun 14, 2012 3:13 UTC (Thu) by darnaut (subscriber, #62995) [Link]

This bug was caught because a test was failing occasionally. See https://mariadb.atlassian.net/browse/MDEV-212

MySQL flaw leaves some systems wide open

Posted Jun 14, 2012 11:12 UTC (Thu) by etienne (subscriber, #25256) [Link]

> In that case, memcmp() can return values outside the range of a signed character (-128 to 127)

The BSD manual page and the Linux manual page do differ on that point:
http://www.manpagez.com/man/3/memcmp
http://linux.die.net/man/3/memcmp

MySQL flaw leaves some systems wide open

Posted Jun 14, 2012 11:29 UTC (Thu) by scottt (subscriber, #5028) [Link]

POSIX is with Linux here. The BSD memcmp(3) page could use a portability warning.

MySQL flaw leaves some systems wide open

Posted Jun 15, 2012 1:48 UTC (Fri) by wahern (subscriber, #37304) [Link]

They both define the exact same behavior. But you have to know what "greater than" and "less than" means to fully understand the Linux man page. To know that you have to go to the C standard:

The sign of a nonzero value returned by the comparison functions memcmp, strcmp, and strncmp is determined by the sign of the difference between the values of the first pair of characters (both interpreted as unsigned char) that differ in the objects being compared. (C11 7.23.4, C99 7.21.4)

The BSD man page just incorporates that definition to makes things crystal clear.

MySQL flaw leaves some systems wide open

Posted Jun 15, 2012 2:35 UTC (Fri) by zlynx (subscriber, #2285) [Link]

That definition does not match BSD's either.

"The sign of the nonzero value" is "determined by the sign of the difference"

That says nothing about how large the return value may be. It doesn't require that it be a signed char.

MySQL flaw leaves some systems wide open

Posted Jun 15, 2012 3:48 UTC (Fri) by wahern (subscriber, #37304) [Link]

Huh? The difference between any two unsigned chars has a range of -CHAR_MAX to CHAR_MAX, thus the int return type. (I supposed it could have been short, but there are many implementations where sizeof (char) and sizeof (short) are the same.) Describe to me how you could arrive at any other behavior from either the BSD or Linux man pages? You can't. They're equivalent definitions.

The fundamental issue is people not understanding (or at least not applying their knowledge of) implicit conversions in C, and I'm entirely unsurprised that MySQL ran afoul of the rules. I had to emulate the MySQL password code in an asynchronous client library several years ago. I took one look at MySQL's code and my head spun. It's classic I-know-enough-C-to-be-dangerous. I translated to paper the algorithm that it was attempting, poorly, to implement, and then promptly purged my mind of the actual code so it wouldn't infect my own implementation.

MySQL flaw leaves some systems wide open

Posted Jun 15, 2012 4:06 UTC (Fri) by wahern (subscriber, #37304) [Link]

Ignore me. I'm a doofus. I see that you're pointing out that the sign is copied, not the resultant value from the difference.

Now, anyone have any tips on turning time back so I can erase my comment? =)

MySQL flaw leaves some systems wide open

Posted Jun 15, 2012 9:06 UTC (Fri) by thoger (subscriber, #51049) [Link]

> Oracle released a MySQL update as part of its April critical patch update,
> but makes no mention of the problem (it does list six other CVEs
> addressed), so either it was silently fixed or is not present there.

April CPU predates release of 5.1.63 and 5.5.24 and covers fixes up to / in 5.1.62 and 5.5.22.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds