Bug 924663 (CVE-2015-3152)

Summary: VUL-0: CVE-2015-3152: MariaDB,mysql: mysql --ssl does not enforce SSL (oCERT-2015-003 BACKRONYM)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Rückert <mrueckert>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: astieger, chcao, jim.petersen, kstreitova, lchiquitto, meissner, mge, mrueckert, rasmus, security-team, stephan.barth
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2015-3152:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv3:RedHat:CVE-2015-3152:6.8:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) CVSSv2:NVD:CVE-2015-3152:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Consolidated patch for #924663

Description Marcus Rückert 2015-03-27 11:17:57 UTC 
This was fixed in mysql 5.7.3. It would be nice to get this fix backported.

My testing with our lapis cluster showed that this seems to be still an issue with the mariadb on factory and SLE12
Comment 7 MariaDB Engineering 2015-04-08 17:56:23 UTC 
https://mariadb.atlassian.net/browse/MDEV-7937
Comment 8 Marcus Meissner 2015-04-28 15:57:52 UTC 
see bug 928962 too
Comment 10 Marcus Meissner 2015-06-22 09:54:47 UTC 
*** Bug 928962 has been marked as a duplicate of this bug. ***
Comment 12 Kristyna Streitova 2015-06-24 16:40:09 UTC 
(In reply to MariaDB Engineering from comment #9)
> This issue has been fixed in maria-5.5.44.

Thank you for the patches. We have currently MariaDB 10.0.x in our products too. Can you please provide us with suitable patches? Or are patches from comment 9 suitable even for MariaDB 10.0.x branch? Thank you.
Comment 13 MariaDB Engineering 2015-06-25 14:20:38 UTC 
Created attachment 639131 [details]
Consolidated patch for #924663

A brief note about this feature:

"--ssl on its own doesn't enforce ssl. The reasoning is the following:

Our behavior in 5.5 is that we do not implicitly verify the server's
certificate. For all we know we could be the victim of a MITM attack
without verifying the certificate. We could be sending encrypted data
to the attacker, for him to relay it further to our intended destination.
We wanted to keep this behavior consistent across released versions (5.5
and 10.0).
 
To enforce ssl one needs to use --ssl-verify-server-cert. This is what
the patch does, it makes --ssl-verify-server-cert to enforce a ssl
connection or abort the connection.

In 10.1 we plan to make --ssl-verify-server-cert a default option, so
the sane defaults will be that by using --ssl, by default, an ssl connection
will be enforced."
Comment 14 Marcus Meissner 2015-06-26 09:04:41 UTC 
This is fixed in MariaDB 1.0.10 apparently. https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
Comment 15 Kristyna Streitova 2015-06-29 15:16:54 UTC 
(In reply to Marcus Meissner from comment #14)
> This is fixed in MariaDB 1.0.10 apparently.
> https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/

It's a typing error. This is fixed in MariaDB 10.0.20.
Comment 16 Kristyna Streitova 2015-06-30 17:46:49 UTC 
This issue is fixed since MariaDB 10.0.20 and MariaDB 5.5.44.

We created a version bump to MariaDB 10.0.20 for SLE12 and to MariaDB 10.0.20 and 5.5.44 for openSUSE, so this bug is fixed there now.

|    Product    | Affected |  Request  |
|---------------|----------|-----------|
| SLE12         | yes      | mr#61330  |
| openSUSE 13.1 | yes      | mr#314500 |
| openSUSE 13.2 | yes      | mr#314500 |
| devel/Factory | no*      | ---       |

* 10.0.20 already present here

Reassigning to security-team
Comment 18 Swamp Workflow Management 2015-07-09 15:08:37 UTC 
openSUSE-SU-2015:1216-1: An update that fixes 28 vulnerabilities is now available.

Category: security (important)
Bug References: 859345,914370,924663,934789,936407,936408,936409
CVE References: CVE-2014-6464,CVE-2014-6469,CVE-2014-6491,CVE-2014-6494,CVE-2014-6496,CVE-2014-6500,CVE-2014-6507,CVE-2014-6555,CVE-2014-6559,CVE-2014-6568,CVE-2014-8964,CVE-2015-0374,CVE-2015-0381,CVE-2015-0382,CVE-2015-0411,CVE-2015-0432,CVE-2015-0433,CVE-2015-0441,CVE-2015-0499,CVE-2015-0501,CVE-2015-0505,CVE-2015-2325,CVE-2015-2326,CVE-2015-2568,CVE-2015-2571,CVE-2015-2573,CVE-2015-3152,CVE-2015-4000
Sources used:
openSUSE 13.2 (src):    mariadb-10.0.20-2.9.1
openSUSE 13.1 (src):    mariadb-5.5.44-4.1
Comment 19 Andreas Stieger 2015-07-21 12:09:23 UTC 
Releasing MariaDB for SLE 12.
Comment 20 Swamp Workflow Management 2015-07-21 14:09:20 UTC 
SUSE-SU-2015:1273-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 906574,919053,919062,920865,920896,921333,924663,924960,924961,934789,936407,936408,936409
CVE References: CVE-2014-8964,CVE-2015-0433,CVE-2015-0441,CVE-2015-0499,CVE-2015-0501,CVE-2015-0505,CVE-2015-2325,CVE-2015-2326,CVE-2015-2568,CVE-2015-2571,CVE-2015-2573,CVE-2015-3152
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    mariadb-10.0.20-18.1
SUSE Linux Enterprise Software Development Kit 12 (src):    mariadb-10.0.20-18.1
SUSE Linux Enterprise Server 12 (src):    mariadb-10.0.20-18.1
SUSE Linux Enterprise Desktop 12 (src):    mariadb-10.0.20-18.1
Comment 21 Andreas Stieger 2015-08-27 07:45:01 UTC 
This commit on 5.5 applies to Oracle Mysql in SLE 11 SP3/4:
https://github.com/MariaDB/server/commit/4ef7497

From 4ef74979969ac9339d0d42c11a6f26632e6776f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= <vicentiu@mariadb.org>
Date: Tue, 9 Jun 2015 14:08:44 +0300
Subject: [PATCH] MDEV-7937: Enforce SSL when --ssl client option is used

Using --ssl-verify-server-cert and --ssl[-*] implies that
the ssl connection is required. The mysql client will now print an error if ssl
is required, but the server can not handle a ssl connection.
---
 sql-common/client.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)


Related tests (partial)
https://github.com/MariaDB/server/commit/5a44e1a
Comment 23 Andreas Stieger 2015-08-27 08:07:45 UTC 
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html#mysqld-5-7-3-security

Documented as "Incompatible Change"
Changes meaning of --ssl, adds MYSQL_OPT_SSL_ENFORCE
Comment 27 Kristyna Streitova 2015-09-21 14:21:25 UTC 
Patch from comment 25 was submitted for SLE11SP3 (https://build.suse.de/request/show/68980)

Reassigning to security-team.
Comment 28 Kristyna Streitova 2015-10-06 07:33:39 UTC 
Adjusted MariaDB patch from comment 25 was commited to our openSUSE mysql-packaging git repo (https://github.com/openSUSE/mysql-packaging/commit/23133cf21bbcb812afceb1a5847a9d795c25ec1b)
Comment 29 Swamp Workflow Management 2015-10-20 13:12:00 UTC 
SUSE-SU-2015:1788-1: An update that fixes 19 vulnerabilities is now available.

Category: security (moderate)
Bug References: 924663,928962,934401,938412
CVE References: CVE-2015-2582,CVE-2015-2611,CVE-2015-2617,CVE-2015-2620,CVE-2015-2639,CVE-2015-2641,CVE-2015-2643,CVE-2015-2648,CVE-2015-2661,CVE-2015-3152,CVE-2015-4737,CVE-2015-4752,CVE-2015-4756,CVE-2015-4757,CVE-2015-4761,CVE-2015-4767,CVE-2015-4769,CVE-2015-4771,CVE-2015-4772
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Server 11-SP4 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Server 11-SP3 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mysql-5.5.45-0.11.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    mysql-5.5.45-0.11.1
Comment 30 Swamp Workflow Management 2015-12-10 11:12:32 UTC 
openSUSE-SU-2015:2243-1: An update that fixes 30 vulnerabilities is now available.

Category: security (important)
Bug References: 924663,928962,951391
CVE References: CVE-2015-0286,CVE-2015-0288,CVE-2015-1789,CVE-2015-1793,CVE-2015-3152,CVE-2015-4730,CVE-2015-4766,CVE-2015-4792,CVE-2015-4800,CVE-2015-4802,CVE-2015-4815,CVE-2015-4816,CVE-2015-4819,CVE-2015-4826,CVE-2015-4830,CVE-2015-4833,CVE-2015-4836,CVE-2015-4858,CVE-2015-4861,CVE-2015-4862,CVE-2015-4864,CVE-2015-4866,CVE-2015-4870,CVE-2015-4879,CVE-2015-4890,CVE-2015-4895,CVE-2015-4904,CVE-2015-4905,CVE-2015-4910,CVE-2015-4913
Sources used:
openSUSE Leap 42.1 (src):    mysql-community-server-5.6.27-8.1
openSUSE 13.2 (src):    mysql-community-server-5.6.27-2.12.1
openSUSE 13.1 (src):    mysql-community-server-5.6.27-7.13.1
Comment 31 Marcus Meissner 2016-03-23 08:26:53 UTC 
released i think
Comment 32 Kristyna Streitova 2017-04-19 11:08:16 UTC 
News about BACKRONYM and MySQL:

Initially, MySQL fixed this issue for 5.7 branch only. Afterwards, they decided to release a mitigation of this issue for 5.5 a 5.6 branches (--ssl-mode=REQUIRED specifies to require a secure connection (without API support)):

- 5.5.49: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-49.html#mysqld-5-5-49-security
- 5.6.30: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-30.html#mysqld-5-6-30-security

However, the implementation of this mitigation was not correct and it caused the RIDDLE vulnerability (CVE-2017-3305, bug 1029396).

As a reaction, MySQL released a fix in the latest MySQL 5.5.55 and 5.6.36:

- 5.5.55: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html#mysqld-5-5-55-security
- 5.6.36: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html#mysqld-5-6-36-security

Now, MySQL 5.5 and 5.6 use '--ssl-mode=REQUIRED' option (with API support) to specify that the secure connection is required.
Comment 36 Bernhard Wiedemann 2017-04-25 12:02:46 UTC 
This is an autogenerated message for OBS integration:
This bug (924663) was mentioned in
https://build.opensuse.org/request/show/490980 42.1+42.2 / mysql-community-server