For all their faults, passwords are the dominant means of authentication
used by computers and applications today. That makes it a little
disconcerting to see reports of various longstanding bugs in password
handling recently. Obviously it's good that they are being fixed, but
it does make one wonder about how much testing we are doing of this
critical link in authentication.
Most of the recent password problems (e.g. the multi-package Crypt-DES vulnerability) don't rise to the
level of the MySQL/MariaDB flaw
reported on June 9, however. Due to an incorrect cast of the return value from
memcmp(), the wrong password will be accepted for an existing
account with a probability of 1/256. That means that with a fairly small
tries, an attacker can gain access to a MySQL database server if
they know a valid account name (and "root" almost always exists).
While the problem is serious, it is not as bad as it might at first
appear. First, it only affects MySQL and MariaDB packages that have been
built in a
certain way, specifically with GCC using the SSE (Streaming
SIMD Extensions) optimization. In that case, memcmp() can
return values outside the range of a signed character (-128 to 127) and the
MySQL code will sometimes treat that as a password match—even if it isn't.
The return value from memcmp() is cast to a char, so if the value
has a low-order zero byte (which happens 1/256
of the time), it is seen as a match. While it is the SSE optimization that
the flaw, assuming that memcmp() will always return values in that
range is clearly a bug.
Based on the report and an analysis
by HD Moore, it would seem that it is only some Linux distributions
that are affected. The official builds from the projects are not
vulnerable, and only certain (mostly 64-bit) distributions are vulnerable
(Ubuntu, openSUSE, Debian unstable, Fedora, and Arch Linux, according to
Any affected MySQL server is locally exploitable, but the server must be
listening on an external interface for it to be remotely exploitable.
Moore did a survey of exposed servers to try to determine the impact of the
problem. Without actually trying to log in, it is difficult to get a full
accounting, but it is clear that there are at least tens of thousands of
affected systems out there listening on the internet.
Sergei Golubchik discovered the bug in MariaDB on
April 4 and reported
it to MySQL on April 6. It was
in MariaDB on April 4, and MySQL followed
suit right after the report.
a MySQL update as part of its April critical patch update, but makes no
mention of the problem (it does list six other CVEs addressed), so either
it was silently fixed or is not present there. The release
notes for MySQL 5.5.24 and 5.1.63
do mention a security fix for bug 64884, but the
bug was presumably
still private at that point. MariaDB released several versions on April 6
with the fix as shown in its bug report.
Given that the code was fixed in various public repositories and released
much earlier, it is unclear why the details were withheld until recently.
seem that the Linux distributions—those most affected by the
bug—did not release updates in the interim. As of
this writing, only
Ubuntu has released a security update for
the problem. That's a little
puzzling as Red Hat was clearly aware of the problem and requested a CVE on
April 20, though RHEL is believed to be unaffected. Fedora and other
distribution updates seem like
they should be coming soon.
While the PostgreSQL/PHP/BSD Crypt-DES flaw only affected users who chose
to use a particular authentication scheme, this MySQL flaw is more
wide-ranging. In both cases, though, some amount of password fuzz testing
would have spotted the problems in short order. It would seem that kind of
testing isn't being done with any frequency in some of our communities,
lead to rather serious bugs that aren't detected for long periods of
One guesses that "everyone" thinks the password handling code has been
shaken out since it is such an important part of the authentication path,
but these bugs show that isn't always the case. This problem has existed
in MySQL going back to at least 5.1 (which was released in beta in 2005)
and the Crypt-DES flaw goes back further than that. It is certainly not
just database systems that are affected by these kinds of flaws, one hopes
that other applications and systems that use passwords are either already
fuzz testing or will be doing so soon.
to post comments)