Summary: | dev-db/mysql: incorrect enforcement of ssl-mode=REQUIRED in MySQL 5.5 and 5.6 | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | normal | CC: | mysql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/03/17/3 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=548132 | ||
Whiteboard: | A3 [ebuild/upstream cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 625626 |
Description
Agostino Sarubbo
2017-03-17 14:53:08 UTC
Oracle implemented enforcement of ssl-mode=REQUIRED in response to CVE-2015-3152 which is bug 548132. However, the backport for 5.5.49 and 5.6.30 release is flawed: It was found that MySQL client when specified to use SSL/TLS mode is authenticating to MySQL server not supporting SSL/TLS, client will fallback to plain text protocol used for authentication. After successful authentication client checks if SSL/TLS layer is required and if server doesn't support it, client will close the connection with error. Active MITM attacker can downgrade SSL/TLS to plain text and forward nonce from server back to client. MITM attacker receive login data (for server nonce) from client and send it to server to authenticate as client. This issue is present in libmysqlclient.so in 5.5 and 5.6 versions. External References: http://riddle.link/ Maintainers please confirm that this is fixed in Bug # 625626 Lets try this again: Maintainers please confirm that this is fixed in Bug # 625626 Ping, please confirm if we are still vulnerable. There is at least nothing left to do for us: By default, Mysql still defaults to plaintext and downgrade to plaintext is still possible. If you want to prevent downgrades you must set desired --ssl-mode. Application linked against libmysql must do the same via API which is available in >5.7. |