ID CVE-2012-2122
Summary sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
References
Vulnerable Configurations
  • Oracle MySQL 5.1.60
    cpe:2.3:a:oracle:mysql:5.1.60
  • Oracle MySQL 5.1.61
    cpe:2.3:a:oracle:mysql:5.1.61
  • Oracle MySQL 5.1.58
    cpe:2.3:a:oracle:mysql:5.1.58
  • Oracle MySQL 5.1.59
    cpe:2.3:a:oracle:mysql:5.1.59
  • Oracle MySQL 5.1.56
    cpe:2.3:a:oracle:mysql:5.1.56
  • Oracle MySQL 5.1.57
    cpe:2.3:a:oracle:mysql:5.1.57
  • Oracle MySQL 5.1.54
    cpe:2.3:a:oracle:mysql:5.1.54
  • Oracle MySQL 5.1.55
    cpe:2.3:a:oracle:mysql:5.1.55
  • Oracle MySQL 5.1.52 Service Pack 1
    cpe:2.3:a:oracle:mysql:5.1.52:sp1
  • Oracle MySQL 5.1.53
    cpe:2.3:a:oracle:mysql:5.1.53
  • Oracle MySQL 5.1.51
    cpe:2.3:a:oracle:mysql:5.1.51
  • Oracle MySQL 5.1.52
    cpe:2.3:a:oracle:mysql:5.1.52
  • Oracle MySQL 5.5.21
    cpe:2.3:a:oracle:mysql:5.5.21
  • Oracle MySQL 5.5.20
    cpe:2.3:a:oracle:mysql:5.5.20
  • Oracle MySQL 5.5.19
    cpe:2.3:a:oracle:mysql:5.5.19
  • Oracle MySQL 5.5.18
    cpe:2.3:a:oracle:mysql:5.5.18
  • Oracle MySQL 5.5.17
    cpe:2.3:a:oracle:mysql:5.5.17
  • Oracle MySQL 5.5.16
    cpe:2.3:a:oracle:mysql:5.5.16
  • Oracle MySQL 5.5.15
    cpe:2.3:a:oracle:mysql:5.5.15
  • Oracle MySQL 5.5.14
    cpe:2.3:a:oracle:mysql:5.5.14
  • Oracle MySQL 5.5.13
    cpe:2.3:a:oracle:mysql:5.5.13
  • Oracle MySQL 5.5.12
    cpe:2.3:a:oracle:mysql:5.5.12
  • Oracle MySQL 5.5.11
    cpe:2.3:a:oracle:mysql:5.5.11
  • Oracle MySQL 5.5.10
    cpe:2.3:a:oracle:mysql:5.5.10
  • Oracle MySQL 5.6.2
    cpe:2.3:a:oracle:mysql:5.6.2
  • Oracle MySQL 5.6.3
    cpe:2.3:a:oracle:mysql:5.6.3
  • Oracle MySQL 5.6.4
    cpe:2.3:a:oracle:mysql:5.6.4
  • Oracle MySQL 5.6.5
    cpe:2.3:a:oracle:mysql:5.6.5
  • MariaDB 5.1.61
    cpe:2.3:a:mariadb:mariadb:5.1.61
  • MariaDB 5.1.60
    cpe:2.3:a:mariadb:mariadb:5.1.60
  • MariaDB 5.1.55
    cpe:2.3:a:mariadb:mariadb:5.1.55
  • MariaDB 5.1.53
    cpe:2.3:a:mariadb:mariadb:5.1.53
  • MariaDB 5.1.51
    cpe:2.3:a:mariadb:mariadb:5.1.51
  • MariaDB 5.1.50
    cpe:2.3:a:mariadb:mariadb:5.1.50
  • MariaDB 5.1.49
    cpe:2.3:a:mariadb:mariadb:5.1.49
  • MariaDB 5.1.47
    cpe:2.3:a:mariadb:mariadb:5.1.47
  • MariaDB 5.1.44
    cpe:2.3:a:mariadb:mariadb:5.1.44
  • MariaDB 5.1.42
    cpe:2.3:a:mariadb:mariadb:5.1.42
  • MariaDB 5.1.41
    cpe:2.3:a:mariadb:mariadb:5.1.41
  • MariaDB 5.2.0
    cpe:2.3:a:mariadb:mariadb:5.2.0
  • MariaDB 5.2.1
    cpe:2.3:a:mariadb:mariadb:5.2.1
  • MariaDB 5.2.2
    cpe:2.3:a:mariadb:mariadb:5.2.2
  • MariaDB 5.2.3
    cpe:2.3:a:mariadb:mariadb:5.2.3
  • MariaDB 5.2.4
    cpe:2.3:a:mariadb:mariadb:5.2.4
  • MariaDB 5.2.5
    cpe:2.3:a:mariadb:mariadb:5.2.5
  • MariaDB 5.2.6
    cpe:2.3:a:mariadb:mariadb:5.2.6
  • MariaDB 5.2.7
    cpe:2.3:a:mariadb:mariadb:5.2.7
  • MariaDB 5.2.8
    cpe:2.3:a:mariadb:mariadb:5.2.8
  • MariaDB 5.2.9
    cpe:2.3:a:mariadb:mariadb:5.2.9
  • MariaDB 5.2.10
    cpe:2.3:a:mariadb:mariadb:5.2.10
  • MariaDB 5.2.11
    cpe:2.3:a:mariadb:mariadb:5.2.11
  • MariaDB 5.3.0
    cpe:2.3:a:mariadb:mariadb:5.3.0
  • MariaDB 5.3.1
    cpe:2.3:a:mariadb:mariadb:5.3.1
  • MariaDB 5.3.2
    cpe:2.3:a:mariadb:mariadb:5.3.2
  • MariaDB 5.3.3
    cpe:2.3:a:mariadb:mariadb:5.3.3
  • MariaDB 5.3.4
    cpe:2.3:a:mariadb:mariadb:5.3.4
  • MariaDB 5.3.5
    cpe:2.3:a:mariadb:mariadb:5.3.5
  • MariaDB 5.3.6
    cpe:2.3:a:mariadb:mariadb:5.3.6
  • MariaDB 5.5.22
    cpe:2.3:a:mariadb:mariadb:5.5.22
  • MariaDB 5.5.21
    cpe:2.3:a:mariadb:mariadb:5.5.21
  • MariaDB 5.5.20
    cpe:2.3:a:mariadb:mariadb:5.5.20
CVSS
Base: 5.1 (as of 27-06-2012 - 08:57)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description MySQL Remote Root Authentication Bypass. CVE-2012-2122. Remote exploits for multiple platform
    file exploits/multiple/remote/19092.py
    id EDB-ID:19092
    last seen 2016-02-02
    modified 2012-06-12
    platform multiple
    port
    published 2012-06-12
    reporter David Kennedy (ReL1K)
    source https://www.exploit-db.com/download/19092/
    title MySQL Remote Root Authentication Bypass
    type remote
  • description HackBack - A DIY Guide. Papers exploit for Multiple platform
    id EDB-ID:41915
    last seen 2017-04-25
    modified 2016-04-17
    published 2016-04-17
    reporter Exploit-DB
    source https://www.exploit-db.com/download/41915/
    title HackBack - A DIY Guide
metasploit via4
description This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking.
id MSF:AUXILIARY/SCANNER/MYSQL/MYSQL_AUTHBYPASS_HASHDUMP
last seen 2019-03-17
modified 2017-07-24
published 2012-06-11
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
title MySQL Authentication Bypass Password Dump
nessus via4
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2012-93.NASL
    description sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69700
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69700
    title Amazon Linux AMI : mysql55 (ALAS-2012-93)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2496.NASL
    description Due to the non-disclosure of security patch information from Oracle, we are forced to ship an upstream version update of MySQL 5.1. There are several known incompatible changes, which are listed in /usr/share/doc/mysql-server/NEWS.Debian.gz. Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.1.63, which includes additional changes, such as performance improvements and corrections for data loss defects. These changes are described in the MySQL release notes. CVE-2012-2122, an authentication bypass vulnerability, occurs only when MySQL has been built in with certain optimisations enabled. The packages in Debian stable (squeeze) are not known to be affected by this vulnerability. It is addressed in this update nonetheless, so future rebuilds will not become vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 59774
    published 2012-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59774
    title Debian DSA-2496-1 : mysql-5.1 - several vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130122_MYSQL_ON_SL5_X.NASL
    description A stack-based buffer overflow flaw was found in the user permission checking code in MySQL. An authenticated database user could use this flaw to crash the mysqld daemon or, potentially, execute arbitrary code with the privileges of the user running the mysqld daemon. (CVE-2012-5611) A flaw was found in the way MySQL calculated the key length when creating a sort order index for certain queries. An authenticated database user could use this flaw to crash the mysqld daemon. (CVE-2012-2749) This update also adds a patch for a potential flaw in the MySQL password checking function, which could allow an attacker to log into any MySQL account without knowing the correct password. This problem (CVE-2012-2122) only affected MySQL packages that use a certain compiler and C library optimization. It did not affect the mysql packages in Scientific Linux 5. The patch is being added as a preventive measure to ensure this problem cannot get exposed in future revisions of the mysql packages. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 63678
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63678
    title Scientific Linux Security Update : mysql on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-332.NASL
    description Version upgrade to 5.5.25 of MySQL to fix an authentication bypass flaw. Additionally, various other non-security bugs were fixed.
    last seen 2019-02-21
    modified 2015-01-13
    plugin id 74654
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74654
    title openSUSE Security Update : mysql-community-server (openSUSE-2012-332)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201308-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201308-06 (MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the application or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 69508
    published 2013-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69508
    title GLSA-201308-06 : MySQL: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-9308.NASL
    description Update to MySQL 5.5.24, for various fixes described at http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html including the fix for CVE-2012-2122 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 59546
    published 2012-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59546
    title Fedora 17 : mysql-5.5.24-1.fc17 (2012-9308)
  • NASL family Databases
    NASL id MYSQL_AUTH_BYPASS.NASL
    description A flaw in the MySQL server allows remote users to authenticate without a valid password due to a failure when casting a randomly generated token and comparing it to an expected value.
    last seen 2019-02-21
    modified 2019-01-18
    plugin id 61393
    published 2012-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61393
    title MySQL Authentication Protocol Token Comparison Casting Failure Password Bypass
  • NASL family Databases
    NASL id MYSQL_5_1_63.NASL
    description The version of MySQL 5.1 installed on the remote host is earlier than 5.1.63 and is, therefore, affected by multiple vulnerabilities : - Several errors exist related to 'GIS Extension' and 'Server Optimizer' components that can allow denial of service attacks. (CVE-2012-0540, CVE-2012-1689, CVE-2012-1734) - A security bypass vulnerability exists that occurs due to improper casting during user login sessions. (Bug #64884 / CVE-2012-2122) - An error exists related to key length and sort order index that can lead to application crashes. (Bug #59387 / CVE-2012-2749)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59448
    published 2012-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59448
    title MySQL 5.1 < 5.1.63 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-9324.NASL
    description Update to MySQL 5.5.24, for various fixes described at http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html including the fix for CVE-2012-2122 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 59720
    published 2012-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59720
    title Fedora 16 : mysql-5.5.24-1.fc16 (2012-9324)
  • NASL family Databases
    NASL id MYSQL_5_5_24.NASL
    description The version of MySQL 5.5 installed on the remote host is earlier than 5.5.24 and is, therefore, affected by the following vulnerabilities : - Several errors exist related to 'GIS Extension', 'Server', 'InnoDB' and 'Server Optimizer' components that can allow denial of service attacks. (CVE-2012-0540, CVE-2012-1734, CVE-2012-1735, CVE-2012-1756, CVE-2012-1757) - A security bypass vulnerability exists that occurs due to improper casting during user login sessions. (Bug #64884 / CVE-2012-2122) - An error exists related to key length and sort order index that can lead to application crashes. (Bug #59387 / CVE-2012-2749)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59449
    published 2012-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59449
    title MySQL 5.5 < 5.5.24 Security Bypass Vulnerability
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-378.NASL
    description This version upgrade of mysql-cluster to version 7.1.22 fixed an authentication bypass flaw. Additionally, this version upgrade also includes fixes for various other bugs.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74673
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74673
    title openSUSE Security Update : mysql-cluster (openSUSE-SU-2012:0860-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBMYSQLCLIENT-DEVEL-120731.NASL
    description MySQL has been upgraded to version 5.0.96 to fix several vulnerabilities.
    last seen 2019-02-21
    modified 2015-01-13
    plugin id 64183
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64183
    title SuSE 11.1 Security Update : MySQL (SAT Patch Number 6613)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1467-1.NASL
    description It was discovered that certain builds of MySQL incorrectly handled password authentication on certain platforms. A remote attacker could use this issue to authenticate with an arbitrary password and establish a connection. (CVE-2012-2122) MySQL has been updated to 5.5.24 in Ubuntu 12.04 LTS. Ubuntu 10.04 LTS, Ubuntu 11.04 and Ubuntu 11.10 have been updated to MySQL 5.1.63. A patch to fix the issue was backported to the version of MySQL in Ubuntu 8.04 LTS. In addition to additional security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information : http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59452
    published 2012-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59452
    title Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : mysql-5.1, mysql-5.5, mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-1467-1)
packetstorm via4
refmap via4
bid 53911
confirm http://kb.askmonty.org/en/mariadb-5162-release-notes/
exploit-db 19092
gentoo GLSA-201308-06
misc
mlist [oss-security] 20120609 Security vulnerability in MySQL/MariaDB sql/password.c
sectrack 1027143
secunia
  • 49417
  • 53372
suse SUSE-SU-2012:0984
Last major update 20-02-2014 - 23:50
Published 26-06-2012 - 14:55
Back to Top