Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 3 May 2017 19:10:52 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: MySQL - Again Riddle vulnerability (public disclosure)

On Wednesday 03 May 2017 18:23:09 Pali Rohár wrote:
> Hi!
> 
> The Riddle vulnerability (CVE-2017-3305) we have it there again.
> 
> So what happened?
> 
> In 2015 was discovered BACKRONYM vulnerability (CVE-2015-3152) which
> allowed an attacker to downgrade and snoop on the SSL encrypted
> connection between MySQL client and server. Oracle claimed it was
> fixed in MySQL 5.5.49. Later in February 2017 I discovered The
> Riddle vulnerability (CVE-2017-3305) which allowed an attacker to do
> man in the middle attack. Oracle claimed it was fixed in MySQL
> 5.5.55.
> 
> And now in April 2017 I found out that it is still not fixed in MySQL
> 5.5.55 properly and I named this defect Again Riddle. Basically fix
> for The Riddle in 5.5.55 introduced Again Riddle.
> 
> And what is the problem?
> 
> If MySQL client library libmysqlclient.so is compiled from source
> code without SSL support via cmake switch -DWITH_SSL=OFF, then all
> SSL related functions from libmysqlclient.so return success
> (non-error) value. And function mysql_real_connect() from
> libmysqlclient.so connects to MySQL server via plain text protocol,
> even if client enforced SSL mode with certificate verification.
> Which means that function for enforcing SSL mode does nothing if
> libmysqlclient.so is compiled without SSL support. So attacker can
> do exactly same what for The Riddle vulnerability.
> 
> So every application which links to libmysqlclient.so and require SSL
> encryption of MySQL protocol is affected.
> 
> I contacted Oracle, MariaDB and Percona security teams about this
> problem and after discussion we scheduled public disclosure to May 3.
> 
> Oracle decided that this Again Riddle vulnerability would not have
> CVE identifier and would be part of original The Riddle
> vulnerability CVE-2017-3305.
> 
> I'm not sure if this is correct decision, as MariaDB 5.5 was not
> affected by The Riddle vulnerability, but is affected by Again
> Riddle.
> 
> I was told that prebuild binaries are not affected as they are
> compiled with SSL support, but lot of distributions compile
> libraries from source code by their own which means they could be
> affected.
> 
> I prepared POC program written in C to verify if system installed
> libmysqlclient.so library is vulnerable or not. You can find it on
> the new Again Riddle website together with some Q&A:
> 
> http://again.riddle.link/

Yesterday Oracle released new MySQL 5.5.56 which disable compilation 
without SSL support, just to address this issue.

So it is not possible to compile MySQL without SSL support anymore.

-- 
Pali Rohár
pali.rohar@...il.com

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ