But in the affected versions of MariaDB and MySQL, as MontyProgram’s Sergei Golubchik wrote in a list posting on June 9, the database can be fooled into accepting a password even if it doesn’t match. “Because of incorrect [type] casting [in the code],” he wrote, “it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case, MySQL/MariaDB would think that the password is correct even while it is not.”
Because of the random key strings used, Golubchik said the probability of exploiting the flaw on any given attempt “is about 1/256”; with enough attempts, even using the same password over and over again, an attacker could gain access just by knowing a valid account name (such as “root”). Given that it takes less than a second to submit hundreds of login attempts, the hole essentially renders password protection worthless.
The good news is that the hole is limited to previous versions of the databases that were compiled and distributed with some distributions of Linux; MySQL and MariaDB binary distributions are not affected. The affected versions that have been identified so far, according to a blog post by Rapid7 Chief Security Officer H. D. Moore, include those provided with the following Linux distributions: Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04 ), OpenSuSE 12.1 64-bit MySQL 5.5.23-log, Fedora 16 64-bit, and Arch Linux. Official builds of MariaDB and MySQL are not vulnerable.