I found a vulnerability in MariaDB where it is possible to influence the state of the random number generator for another user’s session. This random number generator is also used for password authentication, making it possible to perform replay attacks by fixing the “random” data.

Vulnerability

MariaDB has a random number generator that keeps two state variables, rand_seed1 and rand_seed2. These can be changed by the user using the following SQL query:

MariaDB> SET SESSION rand_seed1 = 123, rand_seed2 = 456;

Even though this says SESSION to indicate these are session variables, these variables were actually specific to the thread and not to the session. This means that one user can set the state of the random number generator on a thread, and then the connection that subsequently uses that thread has this state of the random number generator. So it is possible to set the state of the random number generator for other connections, even when these connections are made by other users.

Impact

This is especially interesting in shared hosting environments, where there are multiple users on the same database. If an application uses RAND() to determine some secret or shuffle some records, another user can influence that by setting the seeds on all threads.

Furthermore, this same random number generator is used in the authentication mechanism. When using password authentication, the password is scrambled using random data. If an attacker fixes this random data by setting the seeds, they can record and replay an actual authentication exchange to gain access to the MariaDB server.

Timeline

I found and reported this issue in December 2023. It was fixed quickly by reinitializing the random number generator on each connection. Versions of MariaDB released in February 2024 contains this fix.

Read more