Red Hat Bugzilla – Bug 1509475
CVE-2018-2696 mysql: sha256_password authentication DoS via long password
Last modified: 2018-03-26 07:30:25 EDT
It was discovered that the MySQL's sha256_password authentication plugin did not restrict the length password received from authenticating client before passing it to the my_crypt_genhash() function. This function implements SHA256 crypt password hashing algorithm that can also be used for hashing passwords in /etc/shadow on Linux systems. The algorithm is computationally intensive, and an excessively long passwords cause mysqld thread handling specific connection to consume all available CPU time. Additionally, the algorithm implementation in MySQL uses alloca() for memory allocation, which does not protect against stack overflow, possibly leading to memory corruption, process crash, and potentially code execution. Note that this issue affects deployments where non-default sha256_password authentication is configured for some or all database users.
Acknowledgments: Name: Red Hat Product Security
Created attachment 1348482 [details] Proposed fix I believe setting arbitrary password length limit is the way to fix this issue. The alloca() problem can be fixed without such limit, but the CPU usage DoS can only be addressed by limiting the size of the key / password passed to the my_crypt_genhash() function. Changing the hashing itself would not be backwards compatible. The only question is the actual limit value.
This issue was fixed in MySQL 5.6.39 and 5.7.21: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-39.html https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html Incompatible Change: Passwords are now restricted to a maximum of 256 characters for the sha256_password authentication plugin, and for the PASSWORD() function when old_passwords=2. Also, the number of password hashing rounds is capped to limit CPU time used. (Bug #27099029, Bug #27194270) Upstream commit: https://github.com/mysql/mysql-server/commit/475dcde2c7856dd0050b967099a86c087d94f32f
This is now also public via Oracle CPU January 2018: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0587 https://access.redhat.com/errata/RHSA-2018:0587
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0586 https://access.redhat.com/errata/RHSA-2018:0586