Date: Wed, 3 May 2017 19:10:52 +0200 From: Pali Rohár <pali.rohar@...il.com> To: oss-security@...ts.openwall.com Subject: Re: MySQL - Again Riddle vulnerability (public disclosure) On Wednesday 03 May 2017 18:23:09 Pali Rohár wrote: > Hi! > > The Riddle vulnerability (CVE-2017-3305) we have it there again. > > So what happened? > > In 2015 was discovered BACKRONYM vulnerability (CVE-2015-3152) which > allowed an attacker to downgrade and snoop on the SSL encrypted > connection between MySQL client and server. Oracle claimed it was > fixed in MySQL 5.5.49. Later in February 2017 I discovered The > Riddle vulnerability (CVE-2017-3305) which allowed an attacker to do > man in the middle attack. Oracle claimed it was fixed in MySQL > 5.5.55. > > And now in April 2017 I found out that it is still not fixed in MySQL > 5.5.55 properly and I named this defect Again Riddle. Basically fix > for The Riddle in 5.5.55 introduced Again Riddle. > > And what is the problem? > > If MySQL client library libmysqlclient.so is compiled from source > code without SSL support via cmake switch -DWITH_SSL=OFF, then all > SSL related functions from libmysqlclient.so return success > (non-error) value. And function mysql_real_connect() from > libmysqlclient.so connects to MySQL server via plain text protocol, > even if client enforced SSL mode with certificate verification. > Which means that function for enforcing SSL mode does nothing if > libmysqlclient.so is compiled without SSL support. So attacker can > do exactly same what for The Riddle vulnerability. > > So every application which links to libmysqlclient.so and require SSL > encryption of MySQL protocol is affected. > > I contacted Oracle, MariaDB and Percona security teams about this > problem and after discussion we scheduled public disclosure to May 3. > > Oracle decided that this Again Riddle vulnerability would not have > CVE identifier and would be part of original The Riddle > vulnerability CVE-2017-3305. > > I'm not sure if this is correct decision, as MariaDB 5.5 was not > affected by The Riddle vulnerability, but is affected by Again > Riddle. > > I was told that prebuild binaries are not affected as they are > compiled with SSL support, but lot of distributions compile > libraries from source code by their own which means they could be > affected. > > I prepared POC program written in C to verify if system installed > libmysqlclient.so library is vulnerable or not. You can find it on > the new Again Riddle website together with some Q&A: > > http://again.riddle.link/ Yesterday Oracle released new MySQL 5.5.56 which disable compilation without SSL support, just to address this issue. So it is not possible to compile MySQL without SSL support anymore. -- Pali Rohár pali.rohar@...il.com Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.