Bugzilla – Bug 1037590
VUL-0: mysql: AGAIN.RIDDLE: disabled SSL support reports success on SSL
Last modified: 2017-07-19 22:39:41 UTC
From: Pali Rohár <firstname.lastname@example.org>
Subject: [oss-security] MySQL - Again Riddle vulnerability (public disclosure)
Date: Wed, 3 May 2017 18:23:09 +0200
The Riddle vulnerability (CVE-2017-3305) we have it there again.
So what happened?
In 2015 was discovered BACKRONYM vulnerability (CVE-2015-3152) which
allowed an attacker to downgrade and snoop on the SSL encrypted
connection between MySQL client and server. Oracle claimed it was fixed
in MySQL 5.5.49. Later in February 2017 I discovered The Riddle
vulnerability (CVE-2017-3305) which allowed an attacker to do man in the
middle attack. Oracle claimed it was fixed in MySQL 5.5.55.
And now in April 2017 I found out that it is still not fixed in MySQL
5.5.55 properly and I named this defect Again Riddle. Basically fix for
The Riddle in 5.5.55 introduced Again Riddle.
And what is the problem?
If MySQL client library libmysqlclient.so is compiled from source code
without SSL support via cmake switch -DWITH_SSL=OFF, then all SSL
related functions from libmysqlclient.so return success (non-error)
value. And function mysql_real_connect() from libmysqlclient.so connects
to MySQL server via plain text protocol, even if client enforced SSL
mode with certificate verification. Which means that function for
enforcing SSL mode does nothing if libmysqlclient.so is compiled without
SSL support. So attacker can do exactly same what for The Riddle
So every application which links to libmysqlclient.so and require SSL
encryption of MySQL protocol is affected.
I contacted Oracle, MariaDB and Percona security teams about this
problem and after discussion we scheduled public disclosure to May 3.
Oracle decided that this Again Riddle vulnerability would not have CVE
identifier and would be part of original The Riddle vulnerability
I'm not sure if this is correct decision, as MariaDB 5.5 was not
affected by The Riddle vulnerability, but is affected by Again Riddle.
I was told that prebuild binaries are not affected as they are compiled
with SSL support, but lot of distributions compile libraries from source
code by their own which means they could be affected.
I prepared POC program written in C to verify if system installed
libmysqlclient.so library is vulnerable or not. You can find it on the
new Again Riddle website together with some Q&A:
Yesterday Oracle released new MySQL 5.5.56 which disable compilation
without SSL support, just to address this issue.
So it is not possible to compile MySQL without SSL support anymore.
see bug 1029396 for the original RIDDLE report. It seems 5.5.56 fixes both.
As both mysql and mariadb packages in all our codestreams (openSUSE including) use 'DWITH_SSL=system' we shouldn't be affected by Again Riddle vulnerability.
i think so.