Date: Wed, 3 May 2017 19:10:52 +0200 From: Pali Rohár <pali.rohar@...il.com> To: oss-security@...ts.openwall.com Subject: Re: MySQL - Again Riddle vulnerability (public disclosure) On Wednesday 03 May 2017 18:23:09 Pali Rohár wrote: > Hi! > > The Riddle vulnerability (CVE-2017-3305) we have it there again. > > So what happened? > > In 2015 was discovered BACKRONYM vulnerability (CVE-2015-3152) which > allowed an attacker to downgrade and snoop on the SSL encrypted > connection between MySQL client and server. Oracle claimed it was > fixed in MySQL 5.5.49. Later in February 2017 I discovered The > Riddle vulnerability (CVE-2017-3305) which allowed an attacker to do > man in the middle attack. Oracle claimed it was fixed in MySQL > 5.5.55. > > And now in April 2017 I found out that it is still not fixed in MySQL > 5.5.55 properly and I named this defect Again Riddle. Basically fix > for The Riddle in 5.5.55 introduced Again Riddle. > > And what is the problem? > > If MySQL client library libmysqlclient.so is compiled from source > code without SSL support via cmake switch -DWITH_SSL=OFF, then all > SSL related functions from libmysqlclient.so return success > (non-error) value. And function mysql_real_connect() from > libmysqlclient.so connects to MySQL server via plain text protocol, > even if client enforced SSL mode with certificate verification. > Which means that function for enforcing SSL mode does nothing if > libmysqlclient.so is compiled without SSL support. So attacker can > do exactly same what for The Riddle vulnerability. > > So every application which links to libmysqlclient.so and require SSL > encryption of MySQL protocol is affected. > > I contacted Oracle, MariaDB and Percona security teams about this > problem and after discussion we scheduled public disclosure to May 3. > > Oracle decided that this Again Riddle vulnerability would not have > CVE identifier and would be part of original The Riddle > vulnerability CVE-2017-3305. > > I'm not sure if this is correct decision, as MariaDB 5.5 was not > affected by The Riddle vulnerability, but is affected by Again > Riddle. > > I was told that prebuild binaries are not affected as they are > compiled with SSL support, but lot of distributions compile > libraries from source code by their own which means they could be > affected. > > I prepared POC program written in C to verify if system installed > libmysqlclient.so library is vulnerable or not. You can find it on > the new Again Riddle website together with some Q&A: > > http://again.riddle.link/ Yesterday Oracle released new MySQL 5.5.56 which disable compilation without SSL support, just to address this issue. So it is not possible to compile MySQL without SSL support anymore. -- Pali Rohár pali.rohar@...il.com Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ