Re: MySQL - Again Riddle vulnerability (public disclosure)

[Pali Rohár <pali.rohar () gmail com>]

On Wednesday 03 May 2017 18:23:09 Pali Rohár wrote:
> Hi!
>
> The Riddle vulnerability (CVE-2017-3305) we have it there again.
>
> So what happened?
>
> In 2015 was discovered BACKRONYM vulnerability (CVE-2015-3152) which
> allowed an attacker to downgrade and snoop on the SSL encrypted
> connection between MySQL client and server. Oracle claimed it was
> fixed in MySQL 5.5.49. Later in February 2017 I discovered The
> Riddle vulnerability (CVE-2017-3305) which allowed an attacker to do
> man in the middle attack. Oracle claimed it was fixed in MySQL
> 5.5.55.
>
> And now in April 2017 I found out that it is still not fixed in MySQL
> 5.5.55 properly and I named this defect Again Riddle. Basically fix
> for The Riddle in 5.5.55 introduced Again Riddle.
>
> And what is the problem?
>
> If MySQL client library libmysqlclient.so is compiled from source
> code without SSL support via cmake switch -DWITH_SSL=OFF, then all
> SSL related functions from libmysqlclient.so return success
> (non-error) value. And function mysql_real_connect() from
> libmysqlclient.so connects to MySQL server via plain text protocol,
> even if client enforced SSL mode with certificate verification.
> Which means that function for enforcing SSL mode does nothing if
> libmysqlclient.so is compiled without SSL support. So attacker can
> do exactly same what for The Riddle vulnerability.
>
> So every application which links to libmysqlclient.so and require SSL
> encryption of MySQL protocol is affected.
>
> I contacted Oracle, MariaDB and Percona security teams about this
> problem and after discussion we scheduled public disclosure to May 3.
>
> Oracle decided that this Again Riddle vulnerability would not have
> CVE identifier and would be part of original The Riddle
> vulnerability CVE-2017-3305.
>
> I'm not sure if this is correct decision, as MariaDB 5.5 was not
> affected by The Riddle vulnerability, but is affected by Again
> Riddle.
>
> I was told that prebuild binaries are not affected as they are
> compiled with SSL support, but lot of distributions compile
> libraries from source code by their own which means they could be
> affected.
>
> I prepared POC program written in C to verify if system installed
> libmysqlclient.so library is vulnerable or not. You can find it on
> the new Again Riddle website together with some Q&A:
>
> http://again.riddle.link/

Yesterday Oracle released new MySQL 5.5.56 which disable compilation 
without SSL support, just to address this issue.

So it is not possible to compile MySQL without SSL support anymore.

-- 
Pali Rohár
pali.rohar () gmail com

Attachment: signature.asc
Description: This is a digitally signed message part.