Vulnerability ID 5503

Oracle MySQL up to 5.6.5 Password Authentication sql/password.c memcmp() weak authentication

CVSSv3 Temp ScoreCurrent Exploit Price (≈)

A vulnerability has been found in Oracle MySQL and classified as critical. Affected by this vulnerability is the function memcmp() of the file sql/password.c of the component Password Authentication. The manipulation with an unknown input leads to a weak authentication vulnerability. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

The weakness was presented 06/09/2012 by Sergei Golubchik with MariaDB as mailinglist post (oss-sec mailing list). The advisory is shared for download at The vendor was not involved in the public release. This vulnerability is known as CVE-2012-2122 since 04/04/2012. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known. Due to its background and reception, this vulnerability has a historic impact. The advisory points out:

This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

A public exploit has been developed by HD Moore (HDM) in Shell-Skript and been published 2 days after the advisory. It is declared as proof-of-concept. The exploit is shared for download at We expect the 0-day to have been worth approximately $25k-$50k. The vulnerability scanner Nessus provides a plugin with the ID 74673 (openSUSE Security Update : mysql-cluster (openSUSE-SU-2012:0860-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks, running in the context local and relying on port 0. It is possible to verify the existence of the vulnerability with: @for i in `seq 1 1000`; do mysql -u root --password=bad -h 2>/dev/null; done@

Applying a patch is able to eliminate this problem. The bugfix is ready for download at It is possible to mitigate the weakness by firewalling tcp/3306 (mysql). The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at SecurityFocus (BID 53911), Secunia (SA49417), SecurityTracker (ID 1027143) and Vulnerability Center (SBV-35326). See 5779 for similar entries.




Base Score: 5.6 [?]
Temp Score: 5.1 [?]
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:X [?]
Reliability: High


Base Score: 5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P) [?]
Temp Score: 4.0 (CVSS2#E:POC/RL:OF/RC:ND) [?]
Reliability: High




Class: Weak authentication (CWE-287)
Local: No
Remote: Yes

Availability: Yes
Access: Public
Status: Proof-of-Concept
Programming Language: Shell-Skript
Author: HD Moore (HDM)

Current Price Estimation: $25k-$50k (0-day) / $0-$1k (Today)


Nessus ID: 74673
Nessus Name: openSUSE Security Update : mysql-cluster (openSUSE-SU-2012:0860-1)
Nessus File: ala_ALAS-2012-93.nasl
Nessus Family: SuSE Local Security Checks
Nessus Context: local
Nessus Port: 0
OpenVAS ID: 71475
OpenVAS Name: Debian Security Advisory DSA 2496-1 (mysql-5.1)
OpenVAS File: deb_2496_1.nasl
OpenVAS Family: Debian Local Security Checks
MetaSploit ID: mysql_authbypass_hashdump.rb
MetaSploit File: metasploit-framework/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
MetaSploit Name: MySQL Authentication Bypass Password Dump


Recommended: Patch
Status: Official fix
0-Day Time: 0 days since found
Exploit Delay Time: 2 days since known

Firewalling: tcp/3306 (mysql)
ISS Proventia IPS: 2104110
Fortigate IPS: 10917


04/04/2012 CVE assigned
05/07/2012 +33 days Countermeasure disclosed
06/09/2012 +34 days Advisory disclosed
06/11/2012 +1 days VulDB entry created
06/11/2012 +0 days VulnerabilityCenter entry assigned
06/11/2012 +1 days Exploit disclosed
06/13/2012 +1 days VulnerabilityCenter entry created
06/26/2012 +13 days NVD disclosed
06/13/2014 +717 days Nessus plugin released
03/22/2015 +282 days VulnerabilityCenter entry updated
07/08/2015 +109 days VulDB entry updated


Researcher: Sergei Golubchik
Organization: MariaDB

CVE: CVE-2012-2122 ( ( (

SecurityFocus: 53911 - Oracle MySQL CVE-2012-2122 User Login Security Bypass Vulnerability
Secunia: 49417 - MariaDB User Login Security Bypass Security Issue, Less Critical
SecurityTracker: 1027143 - MySQL memcmp() Comparison Error Lets Remote Users Bypass Authentication
Vulnerability Center: 35326 - Oracle MySQL Complied With Linux Glibc Sse-Optimized memcmp Option Allows Authentication Bypass, Medium
OSVDB: 82804

See also: 5779


Created: 06/11/2012
Updated: 07/08/2015
Entry: 100% complete