“MySQL client leaks
like a riddle again”
Again Riddle is a security vulnerability found in Oracle's MySQL client database libraries and their forks (like MariaDB or Percona). The vulnerability allows an attacker to use again
man riddle in the middle for breaking SSL configured connection between MySQL server and client application.
Looks like yes. The Riddle vulnerability strikes back and is there Again. So this new vulnerability is called Again Riddle.
In 2015 Adam Goodman discovered BACKRONYM vulnerability (CVE-2015-3152). That security vulnerability allowed an attacker to downgrade and snoop on the SSL encrypted connection between MySQL client and server. Oracle claimed that they fixed it in MySQL 5.5.49. Later in February 2017 Pali Rohár discovered The Riddle vulnerability (CVE-2017-3305). It allowed an attacker to use man in the middle attack and was introduced in MySQL 5.5.49 by improper fix of the BACKRONYM vulnerability. Oracle claimed that they fixes The Riddle vulnerability in MySQL 5.5.55. But in April 2017 Pali Rohár discovered that fix introduced in MySQL 5.5.55 is still improper, problem persists and instead of fix, Oracle introduced this Again Riddle vulnerability. So even after two years Oracle is unable to properly fix security vulnerability in MySQL!
If MySQL client library libmysqlclient.so is compiled from source code without SSL support via cmake switch -DWITH_SSL=OFF, then all SSL related functions from libmysqlclient.so return success (non-error) value. And function mysql_real_connect() from libmysqlclient.so connects to MySQL server via plain text protocol, even if client enforced SSL mode with certificate verification. Which means that function for enforcing SSL mode does nothing if libmysqlclient.so is compiled without SSL support.
In MySQL 5.5 documentation for MYSQL_OPT_SSL_MODE option passed to mysql_options() function is written:
... mysql_real_connect() returns an error if the server does not support SSL or the client is not configured to use SSL ...
But in reality no error is returned and connection is successfully established.
Oracle in May 2017 released new MySQL security update 5.5.56 which just targets this issue. But Again Riddle is not truly fixed. Oracle instead of proper fix changed cmake build system to disallow compiling MySQL without SSL support and -DWITH_SSL=OFF is not valid anymore. So Oracle just prevented compilation of MySQL when build configuration could lead to vulnerable code path.
No. Since 5.5.56 it is not possible anymore. Due to improper fix of Again Riddle vulnerability Oracle disallowed it.
Only when is compiled without SSL support.
Every program which uses system installed libmysqlclient.so library and depends on SSL encrypted connection.
You can use simple C program (see below) against some MySQL server which does not support SSL. If it show SSL related error message, then you are not vulnerable. Testing has shown that MySQL 5.5.55 and MariaDB 5.5.55 are vulnerable. And other versions could be too. Note that official precompiled binaries of MySQL and MariaDB are not affected as they have SSL support enabled, but lot of people and distributions too compiled binaries from source code. Also note that MariaDB was not vulnerable to the original Riddle, but is to Again Riddle!
I have prepared simple againriddle.c program written in C which can be used for testing Again Riddle vulnerability. Together with Perl script riddle.pl, from the original Riddle website, can be used to do MITM attack.
Compile Again Riddle:
$ cc againriddle.c `mysql_config --cflags --libs` -o againriddlePrepare CA certificate file (can be empty) and connect to MySQL server:
$ ./againriddle 127.0.0.1 3306 dbname user password ca.pemIf you provided correct dbname, user and password then with vulnerable libmysqlclient.so it writes output:
Output: have_ssl : DISABLEDIf you enter invalid password then with vulnerable libmysqlclient.so it writes output:
mysql_real_connect failed: Access denied for user 'root'@'localhost' (using password: YES)And if you connect with valid password to the Riddle in the middle server you should see nice message:
mysql_real_connect failed: Access denied: MITM attack
Discovered by: Pali Rohár
Email address: middle at riddle dot link