MySQL client Common Name validation may allow for MITM

Bug #1521120 reported by David Busby on 2015-11-30
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
High
Unassigned
5.6
Fix Released
High
Unassigned
5.7
Fix Released
High
Unassigned

Bug Description

Due to a bug in how MySQL checks hostnames against X.509 certificates
an attacker on the network is able to execute a MITM attack.

The relevant code is here:

* https://github.com/mysql/mysql-server/blob/5.7/sql-common/client.c#L2660-L2680
* https://github.com/MariaDB/server/blob/10.1/sql-common/client.c#L1794-L1822
* https://github.com/webscalesql/webscalesql-5.6/blob/webscalesql-5.6.26/sql-common/client.c#L2251-L2271
* https://github.com/percona/percona-server/blob/5.6/sql-common/client.c#L1873-L1893

The issue is that MySQL uses string searches against OpenSSL's representation
of a Distinguished Name in order to discover the Common Name in a server's
certificate. It does this by looking for the string "/CN=" and going until the
next "/" is found.

OpenSSL does not perform any escaping of values in the DN however, so a
certificate for "haxor.com" with CN="haxor.com" and OU="/CN=example.com/" would
have ``X509_NAME_oneline`` return "/OU=/CN=example.com//CN=haxor.com/". The
code would incorrectly validate the certificate as being valid for example.com.
This applies whenever any field in the DN is encoded before the Common Name.

The correct solution is to use OpenSSL's structured APIs for examining
certificate information, rather than the string representation. The Common Name
of a certificate can be obtained using the ``X509_NAME_entry_count``,
``X509_NAME_get_entry``, ``X509_NAME_ENTRY_get_object``, and
``X509_NAME_ENTRY_get_data`` functions. Example code to accomplish this can be
found in the OpenSSL wiki:
https://wiki.openssl.org/index.php/Hostname_validation

This vulnerability was jointly discovered by Paul Kehrer of Rackspace and Alex
Gaynor of the United States Department of Veterans Affairs.

PS: As something of an aside, it would be more correct to check against
hostnames listed in the subjectAltName extension, instead of using the Common
Name.

CVE References

Sveta Smirnova (svetasmirnova) wrote :

Thank you for the report.

Verified as described using code analysis.

Changed in percona-server:
status: New → Confirmed

It looks like Oracle has fixed this in 5.5.48/5.6.29/5.7.11 under "22295186", which is not mentioned in their release notes:

$ git log --oneline --grep 22295186
d9f89ff Bug #22295186: CERTIFICATE VALIDATION BUG IN MYSQL MAY ALLOW MITM
70f1aa4 Bug #22295186: CERTIFICATE VALIDATION BUG IN MYSQL MAY ALLOW MITM.
13380bf Bug #22295186: CERTIFICATE VALIDATION BUG IN MYSQL MAY ALLOW MITM

We will take the fix by merging those versions.

information type: Private Security → Public Security

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-948

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers