Recently, security researcher Sergei Golubchik reported a security issue in MySQL in which an attacker could log in to a MySQL database using literally any password. With this entry, I would like to take some time to explain the issue to our customers. The problem is serious in affected systems – but the exposure surface is not very large.
First things first: to exploit the vulnerability, all you need to know is a valid user name on the target MySQL database. The user name root would be available in most cases but it can be any user. Once you have that, a one-liner shell script can try repeated login attempts for you. Within seconds, you will be through with the welcome message from MySQL server and it will be waiting to accept your commands. The metasploit module dumps the password hashes and one can crack all the passwords after stealing the hash.
The root cause of the vulnerability is that when a hash calculated on the user supplied credentials is checked against the actual hash. While comparing the hashes using memcmp, it is assumed that the return value would be -1, 0 or 1. But this changes if gcc, a popular C language compiler, uses SSE optimization which improves standard compiler. Without the optimization, the function memcmp would return only -1, 0 or 1. By using the SSE optimization, however, the generated return values can be higher than 1. But since the return value is collected in a bool (a char variable actually), only the last byte is collected. If that value turns out to be 0, the authentication would go through.
Vulnerability Limited to Linux Systems
Fortunately, only a small subset of MySQL versions is vulnerable. Note that the official MySQL builds are not affected. The exposure is limited to systems running on Linux, which have their glibc optimized with SSE. If you are running MySQL on Windows, there’s no need to worry at all. Red Hat Enterprise Linux (RHEL) has officially confirmed that they are not vulnerable. For reference, a list of affected and non-affected platforms is available on HD Moore’s blog.
Although this exploit is limited to specific platforms, we recommend that users should regularly update their servers and observe best computing practices. The server should allow connections only from localhost or specific IPs, which really need to communicate to the server. These can be changed in the MySQL settings.
Trend Micro customers using Deep Security should apply the update 12-015 and apply the following two rules to detect and prevent the possible use of this technique to attack your server.
- 1005045 – MySQL Database Server Possible Login Brute Force Attempt
- 1005063 – Restrict MySQL Database Access