MySQL client Common Name validation may allow for MITM
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.5 |
Fix Released
|
High
|
Unassigned | |||
5.6 |
Fix Released
|
High
|
Unassigned | |||
5.7 |
Fix Released
|
High
|
Unassigned |
Bug Description
Due to a bug in how MySQL checks hostnames against X.509 certificates
an attacker on the network is able to execute a MITM attack.
The relevant code is here:
* https:/
* https:/
* https:/
* https:/
The issue is that MySQL uses string searches against OpenSSL's representation
of a Distinguished Name in order to discover the Common Name in a server's
certificate. It does this by looking for the string "/CN=" and going until the
next "/" is found.
OpenSSL does not perform any escaping of values in the DN however, so a
certificate for "haxor.com" with CN="haxor.com" and OU="/CN=
have ``X509_
code would incorrectly validate the certificate as being valid for example.com.
This applies whenever any field in the DN is encoded before the Common Name.
The correct solution is to use OpenSSL's structured APIs for examining
certificate information, rather than the string representation. The Common Name
of a certificate can be obtained using the ``X509_
``X509_
``X509_
found in the OpenSSL wiki:
https:/
This vulnerability was jointly discovered by Paul Kehrer of Rackspace and Alex
Gaynor of the United States Department of Veterans Affairs.
PS: As something of an aside, it would be more correct to check against
hostnames listed in the subjectAltName extension, instead of using the Common
Name.
CVE References
information type: | Private Security → Public Security |
Thank you for the report.
Verified as described using code analysis.