If you’re using MySQL and SSL, you might want to glance over this article and give your setup a quick test.
I’ve uncovered an alarming bug in 5.5 where one could gain access to your MySQL instance just knowing the username and password (not having any SSL certificate, key, etc.)!
Of course, I’ve filed a bug about it here:
http://bugs.mysql.com/bug.php?id=62743
It’s been over 4 days now, and not one comment from the MySQL Bug/Dev Team.
So once again, I feel the need to share this bug with the public, in case you are using SSL with 5.5, and think your connections are secure, or that only users with the certs/key could gain access.
For SSL Users, you’ll already have this set up, but for those who don’t, I’ve simply got mysqld (5.5.15 and 5.5.16 thus far) running with the following options:
ssl-ca = "C:/Program Files/MySQL/mysql-5.5.16/certs/ca-cert.pem" ssl-cert = "C:/Program Files/MySQL/mysql-5.5.16/certs/server-cert.pem" ssl-key = "C:/Program Files/MySQL/mysql-5.5.16/certs/server-key.pem"
In theory, any user connecting should either be specifying the –ssl-ca option, path, and file, or both the –ssl-cert and –ssl-key options.
However, at least in 5.5.15 and 5.5.16 (haven’t tested any others yet), one can connect with *just* the –ssl-key option.
What’s worse, and most important, is that you don’t even have to specify a file here. Just specify some bogus text!
I created 2 users, one local and one remote, using these 2 commands:
GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'localhost' IDENTIFIED BY 'ssluser' REQUIRE SSL;) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'remote-hostname' IDENTIFIED BY 'ssluser' REQUIRE SSL;
Now, just specify “buggg” for the -ssl-key option (no path, no file, no nothing):
mysql -ussluser -pssluser -P3430 --ssl-key=buggg
Voila!
The user connects as if it were using an SSL connection. All that was needed to connect to this remote host is the username and password.
Check out the output:
Localhost:
C:\Program Files\MySQL\mysql-5.5.16\bin>mysql -ussluser -pssluser -P3430 --ssl-key=buggg Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 11 Server version: 5.5.16-log MySQL Community Server (GPL) Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> status -------------- mysql Ver 14.14 Distrib 5.5.16, for Win32 (x86) Connection id: 11 Current database: Current user: ssluser@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA Using delimiter: ; Server version: 5.5.16-log MySQL Community Server (GPL) Protocol version: 10 Connection: localhost via TCP/IP Server characterset: latin1 Db characterset: latin1 Client characterset: cp850 Conn. characterset: cp850 TCP port: 3430 Uptime: 35 min 26 sec Threads: 1 Questions: 24 Slow queries: 0 Opens: 33 Flush tables: 1 Open tables: 0 Queries per second avg: 0.011 --------------
Remote Host:
C:\Documents and Settings>mysql -ussluser -pssluser -h192.168.1.100 -P3430 --ssl-key=buggg Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.5.16-log MySQL Community Server (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> status -------------- mysql Ver 14.12 Distrib 5.0.70, for Win32 (ia32) Connection id: 6 Current database: Current user: ssluser@HOST-LAPTOP SSL: Cipher in use is DHE-RSA-AES256-SHA Using delimiter: ; Server version: 5.5.16-log MySQL Community Server (GPL) Protocol version: 10 Connection: 192.168.1.100 via TCP/IP Server characterset: latin1 Db characterset: latin1 Client characterset: latin1 Conn. characterset: latin1 TCP port: 3430 Uptime: 13 min 13 sec Threads: 2 Questions: 14 Slow queries: 0 Opens: 33 Flush tables: 1 Open tab les: 26 Queries per second avg: 0.017 --------------
Again, I have no idea how many versions are affected by this yet. I’ve only tested 5.5.15 and 5.5.16 (seen on both Windows and Linux, as well).
In fact, that’s all I thought I would have needed to test, as I thought MySQL would have been all over this bug. But since there’s been no word from them about it, I feel it’s my duty to let the community know about this bug until it gets fixed.
(And I even wonder if the above is secure or not. I mean, it “says” the cipher is in use, but since I didn’t specify a ssl cert or key, how can I be certain this is secure.)
PlanetMySQL Voting: Vote UP / Vote DOWN