When the latest release of MariaDB was announced in April by MontyProgram AB founder and MySQL creator Michael "Monty" Widenius, it came with a warning from Widenius that a severe security bug had been discovered in previous versions of both MariaDB and MySQL. Oracle subsequently released a patch for MySQL. Now the details of the flaw, and the extent of the vulnerability, have been revealed: it could allow anyone who knows a valid user account on the database to connect using any password with a brute-force attack.

The affected versions of both databases have a flaw in their authentication system caused by a variation in how the memcmp() function—which compares two values stored in memory to see if they are equal—is implemented in some Linux compilers. When a user connects to the database and submits a password, the authentication system of the databases creates a token from the submitted password using a Secure Hash Algorithm and a randomly generated string of text as the key. The resulting token is compared to a hash made from the stored password in the system using the memcmp function, which returns a value of zero if they're the same; if they're not, the function is supposed to return a positive or negative integer. A return of "0" would mean the password is correct.

But in the affected versions of MariaDB and MySQL, as MontyProgram's Sergei Golubchik wrote in a list posting on June 9, the database can be fooled into accepting a password even if it doesn't match. "Because of incorrect [type] casting [in the code]," he wrote, "it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case, MySQL/MariaDB would think that the password is correct even while it is not."

Because of the random key strings used, Golubchik said the probability of exploiting the flaw on any given attempt "is about 1/256"; with enough attempts, even using the same password over and over again, an attacker could gain access just by knowing a valid account name (such as "root"). Given that it takes less than a second to submit hundreds of login attempts, the hole essentially renders password protection worthless.

The good news is that the hole is limited to previous versions of the databases that were compiled and distributed with some distributions of Linux; MySQL and MariaDB binary distributions are not affected. The affected versions that have been identified so far, according to a blog post by Rapid7 Chief Security Officer H. D. Moore, include those provided with the following Linux distributions: Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04 ), OpenSuSE 12.1 64-bit MySQL 5.5.23-log, Fedora 16 64-bit, and Arch Linux. Official builds of MariaDB and MySQL are not vulnerable.