MySQL and MariaDB database servers are vulnerable to a brute-force attack that can reveal admin-level passwords in just seconds. The vulnerability stems from a flaw relating to how the databases verify password hashes.
Due to the flaw, there's a chance that MySQL/MariaDB would think that the password is correct even while it is not, and then accept any password, according to Sergei Golubchi, security coordinator for MariaDB, in a security advisory posted to the oss-sec mailing list. The post continued, "Because the protocol uses random strings, the probability of hitting this bug is about [one in] 256."
[ Should the Obama administration have confirmed its role in Stuxnet? Read more at Was U.S. Government's Stuxnet Brag A Mistake? ]
As a result, if an attacker knows a username, bypassing the password-checking mechanism would require--at most--just seconds. "If one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. [Around] 300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," said Golubchi.
Both MySQL and MariaDB are two of the most popular and widely used database platforms, not least because they're free.
Thankfully, however, just because the vulnerable code is contained in a database that uses MySQL or MariaDB code doesn't necessarily mean the database is at risk. "Although a wide range of MySQL and MariaDB versions use the vulnerable code, only some of these systems are exploitable," said Metasploit founder, developer, and researcher H.D. Moore, in a blog post that includes workarounds for mitigating the vulnerability in exploitable systems.
To date, Moore said, researchers have found that the following implementations are vulnerable to the exploit: Ubuntu Linux 64-bit (versions 10.04, 10.10, 11.04, 11.10, 12.04), OpenSuSE 12.1 64-bit MySQL 5.5.23-log, Debian Unstable 64-bit 5.5.23-2, Fedora, and Arch Linux (versions not known). Notably, however, official builds from MySQL and MariaDB can't be exploited, and Moore said Red Hat confirmed that the vulnerability can't be exploited in Red Hat Enterprise Linux 4, 5, and 6.
Oracle, which develops MySQL, has patched the related flaw via its April 2012 critical patch update, while both MySQL and MariaDB have issued their own patches.
How widespread is the vulnerability? Based on Moore's personal research, there are "approximately 1.74 million MySQL servers across the Internet [which are] at large," he said, and about 50% of them--869,000 databases--are vulnerable to the exploit.
"This statistic includes only MySQL instances that were on hosts publicly exposed to the Internet and not bound to localhost," Moore explained. Binding the database server to localhost means that it can't be accessed remotely, which thus helps mitigate the attack. Likewise, putting access controls in place can block unapproved access from the Internet, which also mitigates the vulnerability.
Since vulnerable systems are easy to exploit, and many such systems likely won't be patched for some time, expect attackers to quickly begin targeting this vulnerability. "If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come," said Moore.
For example, he said, if a penetration tester knows the username and password for a database, then he can access it using the attack to dump the table to a local file. "This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access," said Moore.
Moore also noted that a related exploit module for the free Metasploit penetration testing tool that targets the MySQL and MariaDB vulnerability has already been developed and released.
More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)