MySQL client Common Name validation may allow for MITM
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
| 5.5 |
Fix Released
|
High
|
Unassigned | ||
| 5.6 |
Fix Released
|
High
|
Unassigned | ||
| 5.7 |
Fix Released
|
High
|
Unassigned |
Bug Description
Due to a bug in how MySQL checks hostnames against X.509 certificates
an attacker on the network is able to execute a MITM attack.
The relevant code is here:
* https:/
* https:/
* https:/
* https:/
The issue is that MySQL uses string searches against OpenSSL's representation
of a Distinguished Name in order to discover the Common Name in a server's
certificate. It does this by looking for the string "/CN=" and going until the
next "/" is found.
OpenSSL does not perform any escaping of values in the DN however, so a
certificate for "haxor.com" with CN="haxor.com" and OU="/CN=
have ``X509_
code would incorrectly validate the certificate as being valid for example.com.
This applies whenever any field in the DN is encoded before the Common Name.
The correct solution is to use OpenSSL's structured APIs for examining
certificate information, rather than the string representation. The Common Name
of a certificate can be obtained using the ``X509_
``X509_
``X509_
found in the OpenSSL wiki:
https:/
This vulnerability was jointly discovered by Paul Kehrer of Rackspace and Alex
Gaynor of the United States Department of Veterans Affairs.
PS: As something of an aside, it would be more correct to check against
hostnames listed in the subjectAltName extension, instead of using the Common
Name.
CVE References
It looks like Oracle has fixed this in 5.5.48/
$ git log --oneline --grep 22295186
d9f89ff Bug #22295186: CERTIFICATE VALIDATION BUG IN MYSQL MAY ALLOW MITM
70f1aa4 Bug #22295186: CERTIFICATE VALIDATION BUG IN MYSQL MAY ALLOW MITM.
13380bf Bug #22295186: CERTIFICATE VALIDATION BUG IN MYSQL MAY ALLOW MITM
We will take the fix by merging those versions.
information type: | Private Security → Public Security |
Shahriyar Rzayev (rzayev-sehriyar) wrote : | #4 |
Percona now uses JIRA for bug reports so this bug report is migrated to: https:/
Thank you for the report.
Verified as described using code analysis.