SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Database)  >   MySQL Vendors:   MySQL.com, Oracle
MySQL '--ssl' Client Option Lets Remote Users Downgrade SSL/TLS Connections
SecurityTracker Alert ID:  1032216
SecurityTracker URL:  http://securitytracker.com/id/1032216
CVE Reference:   CVE-2015-3152   (Links to External Site)
Updated:  Jul 12 2015
Original Entry Date:  Apr 29 2015
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.7.2 and prior
Description:   A vulnerability was reported in MySQL. A remote user can downgrade SSL connections.

The '--ssl' client option does not require SSL/TLS protection. A remote user with the ability to conduct a man-in-the-middle attack can force an SSL/TLS connection to downgrade to a weaker algorithm and potentially obtain and modify sensitive information.

[Editor's note: This behavior is noted in the manual.]

MariaDB and Percona Server are also affected.

The original advisories are available at:

http://www.ocert.org/advisories/ocert-2015-003.html
https://www.duosecurity.com/blog/backronym-mysql-vulnerability

Adam Goodman, Principal Security Architect at Duo Security, reported this vulnerability via oCERT.

Impact:   A remote user can decrypt and modify information via downgraded SSL connections.
Solution:   The vendor has issued a fix (5.7.3) [in December 2013; however, the CVE number was assigned in April 2015 to call attention to the vulnerability.]

The fixed version also includes a 'MYSQL_OPT_SSL_ENFORCE' option to enforce SSL/TLS connections.

On July 9 and July 10, 2015, the vendor added several fixed versions (5.4.43, 5.5.27, 5.6.11).

The vendor's advisories are available at:

http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
http://php.net/ChangeLog-5.php#5.6.11
http://php.net/ChangeLog-5.php#5.5.27
http://php.net/ChangeLog-5.php#5.4.43

Vendor URL:  dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Wed, 29 Apr 2015 16:00:58 +0200
Subject:  [oCERT-2015-003] MySQL SSL/TLS downgrade


#2015-003 MySQL SSL/TLS downgrade

Description:

The MySQL project is an open source relational database management system.

A vulnerability has been reported concerning the impossibility for MySQL users
(with any major stable version) to enforce an effective SSL/TLS connection
that would be immune from man-in-the-middle (MITM) attacks performing a
malicious downgrade.

While the issue has been addressed in MySQL preview release 5.7.3 in December
2013, it is perceived that the majority of MySQL users are not aware of this
limitation and that the issue should be treated as a vulnerability.

The vulnerability lies within the behaviour of the '--ssl' client option,
which on affected versions it is being treated as "advisory". Therefore while
the option would attempt an SSL/TLS connection to be initiated towards a
server, it would not actually require it. This allows a MITM attack to
transparently "strip" the SSL/TLS protection.

The issue affects the ssl client option whether used directly or triggered
automatically by the use of other ssl options ('--ssl-xxx') that imply
'--ssl'.

Such behavior is clearly indicated in MySQL reference manual as follows:

  For the server, this option specifies that the server permits but does not require
  SSL connections.

  For a client program, this option permits but does not require the client to
  connect to the server using SSL. Therefore, this option is not sufficient in
  itself to cause an SSL connection to be used. For example, if you specify this
  option for a client program but the server has not been configured to permit
  SSL connections, an unencrypted connection is used.

In a similar manner to the new '--ssl' option behaviour, users of the MySQL
client library (Connector/C, libmysqlclient), as of MySQL 5.7.3, can take
advantage of the MYSQL_OPT_SSL_ENFORCE option to enforce SSL/TLS connections.

The vulnerability also affects the MySQL forks MariaDB and Percona Server, as
the relevant 5.7.3 patch has not been pulled, at the time of this advisory, in
their respective stable versions.

Affected version:

MySQL <= 5.7.2

MySQl Connector/C (libmysqlclient) < 6.1.3

Percona Server, all versions

MariaDB, all versions

Fixed version:

MySQL >= 5.7.3

MySQl Connector/C (libmysqlclient) >= 6.1.3

Percona Server, N/A

MariaDB, N/A

Credit: vulnerability report from Adam Goodman, Principal Security Architect
at Duo Security.

CVE: CVE-2015-3152 (MariaDB, Percona)

Timeline:

2015-03-20: vulnerability report received
2015-03-23: contacted Oracle Security
2015-04-04: oCERT sets embargo date to April 29th
2015-04-20: reporter confirms MariaDB is affected
2015-04-22: contacted MariaDB and affected vendors, assigned CVEs
2015-04-23: contacted Percona
2015-04-29: advisory release

References:
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
https://mariadb.atlassian.net/browse/MDEV-7937
https://bugs.launchpad.net/percona-server/+bug/1447527

Permalink:
http://www.ocert.org/advisories/ocert-2015-003.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC