Date: Wed, 3 May 2017 18:23:09 +0200 From: Pali Rohár <pali.rohar@...il.com> To: oss-security@...ts.openwall.com Subject: MySQL - Again Riddle vulnerability (public disclosure) Hi! The Riddle vulnerability (CVE-2017-3305) we have it there again. So what happened? In 2015 was discovered BACKRONYM vulnerability (CVE-2015-3152) which allowed an attacker to downgrade and snoop on the SSL encrypted connection between MySQL client and server. Oracle claimed it was fixed in MySQL 5.5.49. Later in February 2017 I discovered The Riddle vulnerability (CVE-2017-3305) which allowed an attacker to do man in the middle attack. Oracle claimed it was fixed in MySQL 5.5.55. And now in April 2017 I found out that it is still not fixed in MySQL 5.5.55 properly and I named this defect Again Riddle. Basically fix for The Riddle in 5.5.55 introduced Again Riddle. And what is the problem? If MySQL client library libmysqlclient.so is compiled from source code without SSL support via cmake switch -DWITH_SSL=OFF, then all SSL related functions from libmysqlclient.so return success (non-error) value. And function mysql_real_connect() from libmysqlclient.so connects to MySQL server via plain text protocol, even if client enforced SSL mode with certificate verification. Which means that function for enforcing SSL mode does nothing if libmysqlclient.so is compiled without SSL support. So attacker can do exactly same what for The Riddle vulnerability. So every application which links to libmysqlclient.so and require SSL encryption of MySQL protocol is affected. I contacted Oracle, MariaDB and Percona security teams about this problem and after discussion we scheduled public disclosure to May 3. Oracle decided that this Again Riddle vulnerability would not have CVE identifier and would be part of original The Riddle vulnerability CVE-2017-3305. I'm not sure if this is correct decision, as MariaDB 5.5 was not affected by The Riddle vulnerability, but is affected by Again Riddle. I was told that prebuild binaries are not affected as they are compiled with SSL support, but lot of distributions compile libraries from source code by their own which means they could be affected. I prepared POC program written in C to verify if system installed libmysqlclient.so library is vulnerable or not. You can find it on the new Again Riddle website together with some Q&A: http://again.riddle.link/ -- Pali Rohár pali.rohar@...il.com [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ