| Summary: | dev-db/mysql: incorrect enforcement of ssl-mode=REQUIRED in MySQL 5.5 and 5.6 | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | mysql-bugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2017/03/17/3 | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=548132 | ||
| Whiteboard: | A3 [ebuild/upstream cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 625626 | ||
Oracle implemented enforcement of ssl-mode=REQUIRED in response to CVE-2015-3152 which is bug 548132. However, the backport for 5.5.49 and 5.6.30 release is flawed: It was found that MySQL client when specified to use SSL/TLS mode is authenticating to MySQL server not supporting SSL/TLS, client will fallback to plain text protocol used for authentication. After successful authentication client checks if SSL/TLS layer is required and if server doesn't support it, client will close the connection with error. Active MITM attacker can downgrade SSL/TLS to plain text and forward nonce from server back to client. MITM attacker receive login data (for server nonce) from client and send it to server to authenticate as client. This issue is present in libmysqlclient.so in 5.5 and 5.6 versions. External References: http://riddle.link/ Maintainers please confirm that this is fixed in Bug # 625626 Lets try this again: Maintainers please confirm that this is fixed in Bug # 625626 Ping, please confirm if we are still vulnerable. There is at least nothing left to do for us: By default, Mysql still defaults to plaintext and downgrade to plaintext is still possible. If you want to prevent downgrades you must set desired --ssl-mode. Application linked against libmysql must do the same via API which is available in >5.7. |
From ${URL} : There is a new vulnerability in MySQL client versions 5.5 and 5.6 which is related to SSL/TLS encryption and to older BACKRONYM vulnerability. As it is common, new vulnerability should have a name, logo and website. So enjoy the *Riddle* at http://riddle.link/ Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6 when SSL/TLS encryption is used. Verification of encryption parameters and existence of SSL/TLS layer by MySQL client is done *after* client successfully finish authentication. For more details including mitigation, look at Technical section on vulnerability website: http://riddle.link/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.