Title: MySQL Unauthenticated Remote Access Vulnerability
Severity: MODERATE
Description:
A vulnerability exists in the password verification scheme utilized by MySQL. This vulnerability will allow any user on a machine that has been granted access to connect to the database to connect as any user to that database. Instead of having to know an account name and password, the attacker need only know a legitimate account name. Versions from 3.22.26a and above are all vulnerable. Prior versions may too be vulnerable; this has not been confirmed.
The flaw lies in the fact that the server uses a string returned by the client to iterate through a comparison, without verifying the string it is using is of sufficient length.
while (*scrambled)
{
if (*scrambled++ != (char) (*to++ ^ extra))
return 1; /* Wrong password */
}
scrambled is a string returned by the client. If a user returns a single character as the value for the scrambled variable, only one byte will be compared to the expected password. So long as this one character matches, MySQL will authenticate the user, and allow them to access the database. According to details provided by the poster of this vulnerability, this will take at most 32 tries.
Affected Products:
- MySQL AB MySQL 3.22.26
- MySQL AB MySQL 3.22.27
- MySQL AB MySQL 3.22.29
- MySQL AB MySQL 3.22.30
- MySQL AB MySQL 3.23.10
- MySQL AB MySQL 3.23.8
- MySQL AB MySQL 3.23.9
References:
- T.C.X DataKonsult: MySQL Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
