'Tragically comedic' flaw gives anyone root access to 900,000 Internet servers

No password? No problem for versions of MySQL and MariaDB that can't tell right passwords from wrong

A security flaw the discoverer described as "tragically comedic" exposes nearly 900,000 Internet-connected servers to attack by anyone who can come up with even one legitimate username and is willing to try logging in 256 times.

MySQL and MariaDB databases both assign an SHA-encrypted token to every user who logs in to the server so users only have to log in at the beginning of the session, not every time they send a request to the database.

Due to an error in the way they compare the token to an expected value, some editions of the database can't tell if the login is authentic or not They assume it is and allow the user access whether the password is correct or not, according to an alert posted Saturday by MariaDB Security Coordinator Sergei Golubchik.

MariaDB is an open-source clone of MySQL, which is also open-source but is owned by Oracle, which sells commercial versions of it and maintains the source code.

Because of the way the encryption protocol uses random strings to generate tokens, the error happens about one time in every 256 login attempts.

That's the kind of once-in-a-blue-moon problem that wouldn't be a huge problem except that MySQL and MariaDB are two of the most common applications running on web servers and other Internet-connected machines.

In most cases, trying to log in as 'root' will get you past the username requirement. Automating the login so you can run it quickly will keep you from getting bored while you wait for the mistake to pop up.

"~300 attempts takes only a fraction of a second, so basically account password protection is as good as non-existent," Golubchik wrote. " The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password:

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

mysql>"

Most servers won't let users authenticate to the database in a process completely separate from authentication to the server itself, according to HD Moore, chief security officer for security vendor Rapid7, who publicized the flaw and solutions to it. In those cases the flaw still exists, but is moot because it is covered by the host's own security.

About 1.7 million MySQL and MariaDB servers that are exposed on the Internet and show the vulnerability. Of those, more than half (879,046)do not enforce host-based access controls that would compensate for the big security hole in their databases, Moore wrote.

Who is vulnerable? What can they do about it?

The vulnerability, identified as CVE-2012-2122 and was addressed in MySQL 5.1.63 and 5.5.25, which were released in May. The flaw was not widely identified, however, there is little information available and there was little publicity about the update, according to a story from the IDG News Service.

There has been no official patch because Oracle no longer supports version 4.0 of MySQL.

There is already at least one exploit available to take advantage of the flaw – a threaded brute-force module written by Jonathan Cran CTO of Pwnie Express, who also contributes to the open-source penetration-testing/hacking framework Metasploit.

There is also a sample application – contributed by Joshua Drake, a security researcher with Accuvant Labs, designed to identify machines that may be vulnerable.

The fix is pretty simple, too.

"The easiest thing to do is to modify the my.cnf file in order to restrict access to the local system," Moore wrote. "Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the 'bind-address' parameter to '127.0.0.1'. Restart the MySQL service to apply this setting."

Here is Rapid7's list of vulnerable editions of MySQL and MariaDB on various Linux distributions:

Confirmed as vulnerable:

  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 ) ( via many including @michealc )
  • OpenSuSE 12.1 64-bit MySQL 5.5.23-log ( via @michealc )
  • Debian Unstable 64-bit 5.5.23-2 ( via @derickr )
  • Fedora ( via hexed  and confirmed by Red Hat )
  • Arch Linux (unspecified version)

Feedback so far indicates the following platforms are NOT vulnerable:

  • Official builds from MySQL and MariaDB (including Windows)
  • Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
  • CentOS using official RHEL rpms
  • Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
  • Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
  • Debian Linux lenny 32-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
  • Debian Linux lenny 64-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
  • Debian Linux lenny 64-bit 5.1.51-1-log ( via @matthewbloch )
  • Debian Linux squeeze 64-bit 5.1.49-3-log ( via @matthewbloch )
  • Debian Linux squeeze 32-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
  • Debian Linux squeeze 64-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
  • Gentoo 64-bit 5.1.62-r1 ( via @twit4c )
  • SuSE 9.3 i586 MySQL 4.1.10a ( via @twit4c )
  • OpenIndiana oi_151a4 5.1.37 ( via @TamberP )

  Most Linux vendors should have a patch out soon, if not already.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies