MySQL contains a flaw that is triggered when a users connects to MySQL and a randomly generated token is calculated and then compared with an expected value. Due to a failure in casting it is possible that the values are seen as equal even if the memcmp() function returns a zero value. This will tell the program that the password is correct, when it is not. Due to the protocol generating random strings this may allow an attacker to bypass password authentication with a ~ 1/256 odds.

Upgrade to version 5.1.63, 5.5.24, 5.6.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1027143
• Exploit Database: 19092
• CVE ID: 2012-2122 (see also: NVD)
• Secunia Advisory ID: 49409 49417 49485 49490 49847 50229
• Bugtraq ID: 53911
• Metasploit ID: 82804
• Related OSVDB ID: 82823
• Vendor Specific Solution URL: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
• Vendor Specific Advisory URL: http://bugs.mysql.com/bug.php?id=59387
  https://mariadb.atlassian.net/browse/MDEV-212
• Vendor Specific News/Changelog Entry: http://bugs.mysql.com/bug.php?id=64884
  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
  http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
  http://kb.askmonty.org/en/mariadb-5162-release-notes/
  http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
  http://lists.opensuse.org/opensuse-updates/2012-07/msg00021.html
  http://www.debian.org/security/2012/dsa-2496
  http://www.ubuntu.com/usn/usn-1467-1/
• Packet Storm: http://packetstormsecurity.org/files/113550/MySQL-Remote-Root-Authentication-Bypass.html
• Generic Exploit URL: http://pastie.org/private/903voijkkz8nmde3yqj4rw
• Mail List Post: http://seclists.org/oss-sec/2012/q2/493
• News Article: https://www.computerworld.com/s/article/9227965/MySQL_vulnerability_allows_attackers_to_bypass_password_verification

• Not Available