[ISN] MySQL vulnerability allows attackers to bypass password verification

From: InfoSec News <alerts_at_private>
Date: Tue, 12 Jun 2012 03:35:09 -0500 (CDT)
https://www.computerworld.com/s/article/9227965/MySQL_vulnerability_allows_attackers_to_bypass_password_verification

By Lucian Constantin
IDG News Service
June 11, 2012

Security researchers have released details about a vulnerability in the 
MySQL server that could allow potential attackers to access MySQL 
databases without inputting proper authentication credentials.

The vulnerability is identified as CVE-2012-2122 and was addressed in 
MySQL 5.1.63 and 5.5.25 in May. However, many server administrators 
might not be aware of its impact, because the changelog for those 
versions contained very little information about the security bug.

The vulnerability can only be exploited if MySQL was built on a system 
where the memcmp() function can return values outside the -128 to 127 
range. This is the case for Linux systems that use an SSE-optimized 
glibc (GNU C library).

If MySQL was built on such a system, the code that compares the 
cryptographic hash of a user-inputted password to the hash stored in the 
database for a particular account will sometimes allow authentication 
even if the supplied password is incorrect.

[...]


--
Certified Ethical Hacker, ISSMP, ISSAP, CISSP training
with Expanding Security gives the best training and support.
Get a free live class invite weekly. Best programs, best prices.
http://www.ExpandingSecurity.com/PainPill
Received on Tue Jun 12 2012 - 01:35:09 PDT

This archive was generated by hypermail 2.2.0 : Tue Jun 12 2012 - 01:28:15 PDT