Security vulnerability in MySQL/MariaDB sql/password.c
Description
A critical authentication bypass vulnerability exists in MySQL (versions prior to 5.1.63, 5.5.24, and 5.6.6) and MariaDB (versions prior to 5.1.62, 5.2.12, 5.3.6, and 5.5.23) due to an incorrect type casting error in the password validation logic within sql/password.c. When a user attempts to authenticate, the server compares a token derived from the provided password with the expected value. Due to the casting flaw, the comparison may incorrectly evaluate to true even when passwords do not match. Because the authentication protocol uses random scramble strings, an attacker has approximately a 1 in 256 chance of successful authentication per attempt with any password. This means an attacker can gain unauthorized access by making roughly 300 connection attempts, which takes only seconds to execute.
Remediation
Immediately upgrade to a patched version of MySQL or MariaDB to remediate this vulnerability:
For MySQL installations:
- Upgrade to MySQL 5.1.63 or later for the 5.1 series
- Upgrade to MySQL 5.5.24 or later for the 5.5 series
- Upgrade to MySQL 5.6.6 or later for the 5.6 series
For MariaDB installations:
- Upgrade to MariaDB 5.1.62 or later for the 5.1 series
- Upgrade to MariaDB 5.2.12 or later for the 5.2 series
- Upgrade to MariaDB 5.3.6 or later for the 5.3 series
- Upgrade to MariaDB 5.5.23 or later for the 5.5 series
Interim mitigation measures (if immediate patching is not possible):
- Implement network-level access controls to restrict database connections to trusted IP addresses only
- Monitor authentication logs for unusual patterns of repeated failed login attempts followed by success
- Use firewall rules or TCP wrappers to limit database server exposure
- Consider temporarily disabling remote database access if not required for operations
After upgrading, verify the patch is effective by checking the server version and reviewing security advisories from your database vendor.