Bug 1509475 (CVE-2018-2696) - CVE-2018-2696 mysql: sha256_password authentication DoS via long password
Summary: CVE-2018-2696 mysql: sha256_password authentication DoS via long password
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-2696
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1533831 1533832 1533833 1533834 1535520
Blocks: 1509486 1535524
TreeView+ depends on / blocked
 
Reported: 2017-11-03 21:13 UTC by Tomas Hoger
Modified: 2019-09-29 14:24 UTC (History)
26 users (show)

Fixed In Version: mysql 5.6.39, mysql 5.7.21
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-26 11:30:25 UTC


Attachments (Terms of Use)
Proposed fix (477 bytes, patch)
2017-11-06 09:15 UTC, Tomas Hoger
hhorak: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0586 None None None 2018-03-26 10:14:44 UTC
Red Hat Product Errata RHSA-2018:0587 None None None 2018-03-26 10:03:20 UTC

Description Tomas Hoger 2017-11-03 21:13:01 UTC
It was discovered that the MySQL's sha256_password authentication plugin did not restrict the length password received from authenticating client before passing it to the my_crypt_genhash() function.  This function implements SHA256 crypt password hashing algorithm that can also be used for hashing passwords in /etc/shadow on Linux systems.  The algorithm is computationally intensive, and an excessively long passwords cause mysqld thread handling specific connection to consume all available CPU time.  Additionally, the algorithm implementation in MySQL uses alloca() for memory allocation, which does not protect against stack overflow, possibly leading to memory corruption, process crash, and potentially code execution.

Note that this issue affects deployments where non-default sha256_password authentication is configured for some or all database users.

Comment 1 Tomas Hoger 2017-11-03 21:13:06 UTC
Acknowledgments:

Name: Red Hat Product Security

Comment 5 Tomas Hoger 2017-11-06 09:15:12 UTC
Created attachment 1348482 [details]
Proposed fix

I believe setting arbitrary password length limit is the way to fix this issue.  The alloca() problem can be fixed without such limit, but the CPU usage DoS can only be addressed by limiting the size of the key / password passed to the my_crypt_genhash() function.  Changing the hashing itself would not be backwards compatible.  The only question is the actual limit value.

Comment 16 Tomas Hoger 2018-01-15 20:32:00 UTC
This issue was fixed in MySQL 5.6.39 and 5.7.21:

https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-39.html
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html

  Incompatible Change: Passwords are now restricted to a maximum of 256
  characters for the sha256_password authentication plugin, and for the
  PASSWORD() function when old_passwords=2. Also, the number of password
  hashing rounds is capped to limit CPU time used. (Bug #27099029,
  Bug #27194270)

Upstream commit:

https://github.com/mysql/mysql-server/commit/475dcde2c7856dd0050b967099a86c087d94f32f

Comment 17 Tomas Hoger 2018-01-16 22:10:40 UTC
This is now also public via Oracle CPU January 2018:

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL

Comment 18 errata-xmlrpc 2018-03-26 10:03:09 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0587 https://access.redhat.com/errata/RHSA-2018:0587

Comment 19 errata-xmlrpc 2018-03-26 10:14:31 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0586 https://access.redhat.com/errata/RHSA-2018:0586


Note You need to log in before you can comment on or make changes to this bug.