Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-3915

COM_CHANGE_USER allows fast password brute-forcing

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.28a, 5.3.11, 5.2.13, 5.1.66
    • Fix Version/s: 5.5.29, 5.2.14, 5.3.12
    • Component/s: None
    • Labels:
      None

      Description

      If one tries to connect with an incorrect password, the connection is aborted, one has to connect again to try a new password. But if one tries an incorrect password with the COM_CHANGE_USER command, he is not disconnected, which allows to brute-force passwords faster. Additionally, all COM_CHANGE_USER issued in a connection use the same scramble value.

      We can fix it by allowing only three (or any other small fixed number?) of failed COM_CHANGE_USER in a connection.

      It probably shouldn't be "three fails in a row", because one would be able to alternate between two known accounts and continue trying other password.

      Additionally we might add a one second (or any other short fixed time duration) delay after a failed connection or a COM_CHANGE_USER attempt.

        Gliffy Diagrams

          Attachments

            Activity

            Show
            serg Sergei Golubchik added a comment - - edited http://seclists.org/fulldisclosure/2012/Dec/58
            Hide
            iankko Jan Lieskovsky added a comment -

            The CVE identifier of CVE-2012-5627 has been assigned to this issue:
            http://www.openwall.com/lists/oss-security/2012/12/06/4

            Show
            iankko Jan Lieskovsky added a comment - The CVE identifier of CVE-2012-5627 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/12/06/4

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                serg Sergei Golubchik
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 20 minutes
                  1h 20m