what you don't know can hurt you

MySQL SSL / TLS Downgrade

MySQL SSL / TLS Downgrade
Posted Apr 29, 2015
Authored by Andrea Barisani, Open Source CERT, Adam Goodman

A vulnerability has been reported concerning the impossibility for MySQL users (with any major stable version) to enforce an effective SSL/TLS connection that would be immune from man-in-the-middle (MITM) attacks performing a malicious downgrade. Versions 5.7.2 and below are affected.

tags | advisory
advisories | CVE-2015-3152
MD5 | a6136100e6e6ea5f0710410938e328f3

MySQL SSL / TLS Downgrade

Change Mirror Download

#2015-003 MySQL SSL/TLS downgrade

Description:

The MySQL project is an open source relational database management system.

A vulnerability has been reported concerning the impossibility for MySQL users
(with any major stable version) to enforce an effective SSL/TLS connection
that would be immune from man-in-the-middle (MITM) attacks performing a
malicious downgrade.

While the issue has been addressed in MySQL preview release 5.7.3 in December
2013, it is perceived that the majority of MySQL users are not aware of this
limitation and that the issue should be treated as a vulnerability.

The vulnerability lies within the behaviour of the '--ssl' client option,
which on affected versions it is being treated as "advisory". Therefore while
the option would attempt an SSL/TLS connection to be initiated towards a
server, it would not actually require it. This allows a MITM attack to
transparently "strip" the SSL/TLS protection.

The issue affects the ssl client option whether used directly or triggered
automatically by the use of other ssl options ('--ssl-xxx') that imply
'--ssl'.

Such behavior is clearly indicated in MySQL reference manual as follows:

For the server, this option specifies that the server permits but does not require
SSL connections.

For a client program, this option permits but does not require the client to
connect to the server using SSL. Therefore, this option is not sufficient in
itself to cause an SSL connection to be used. For example, if you specify this
option for a client program but the server has not been configured to permit
SSL connections, an unencrypted connection is used.

In a similar manner to the new '--ssl' option behaviour, users of the MySQL
client library (Connector/C, libmysqlclient), as of MySQL 5.7.3, can take
advantage of the MYSQL_OPT_SSL_ENFORCE option to enforce SSL/TLS connections.

The vulnerability also affects the MySQL forks MariaDB and Percona Server, as
the relevant 5.7.3 patch has not been pulled, at the time of this advisory, in
their respective stable versions.

Affected version:

MySQL <= 5.7.2

MySQl Connector/C (libmysqlclient) < 6.1.3

Percona Server, all versions

MariaDB, all versions

Fixed version:

MySQL >= 5.7.3

MySQl Connector/C (libmysqlclient) >= 6.1.3

Percona Server, N/A

MariaDB, N/A

Credit: vulnerability report from Adam Goodman, Principal Security Architect
at Duo Security.

CVE: CVE-2015-3152 (MariaDB, Percona)

Timeline:

2015-03-20: vulnerability report received
2015-03-23: contacted Oracle Security
2015-04-04: oCERT sets embargo date to April 29th
2015-04-20: reporter confirms MariaDB is affected
2015-04-22: contacted MariaDB and affected vendors, assigned CVEs
2015-04-23: contacted Percona
2015-04-29: advisory release

References:
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
https://mariadb.atlassian.net/browse/MDEV-7937
https://bugs.launchpad.net/percona-server/+bug/1447527

Permalink:
http://www.ocert.org/advisories/ocert-2015-003.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close