Here is the list of affected versions, along with patches

Jun 11, 2012 08:48 GMT  ·  By

Experts reveal the existence of a serious vulnerability in MySQL and MariaDB, which could allow an attacker to connect to a server using an incorrect password by “repeating connection attempts.”

According to Sergei Golubchik, security coordinator at MariaDB, the flaw doesn’t affect official vendor binaries, but it does expose the customers of MariaDB and MySQL who use versions such as 5.1.61, 5.2.11, 5.3.5, 5.5.22 and prior.

The systems that have so far been confirmed as being vulnerable include some versions of Ubuntu Linux 64-bit, Arch Linux, OpenSuSE 12.1 64-bit, and Fedora 16 64-bit.

So you may be wondering what causes the bug?

“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value,” Golubchik explained.

“In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256.”

This allows an attacker who knows the username (including “root”) to bypass the protection even if he supplies a wrong password.

According to HD Moore of Metasploit, the best way in which administrators can defend themselves against such flaws is by not exposing the MySQL server to the network, unless it’s necessary.

The vulnerability has been assigned the CVE-2012-2122 id and patches have been released to mitigate the risks. They are available here (for MariaDB) and here (for MySQL).

If you want to verify if your installation is affected by the security hole, you can use a simple application developed by Joshua Drake from Accuvant Labs.