http://riddle.link/

DSA-3834

[oss-security] 20170317 CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure)

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

97023

1038287

RHSA-2017:2787

This update for mysql-community-server to version 5.6.36 fixes the following issues :

These security issues were fixed :

  - CVE-2016-5483: Mysqldump failed to properly quote     certain identifiers in SQL statements written to the     dump output, allowing for execution of arbitrary     commands (bsc#1029014)

  - CVE-2017-3305: MySQL client sent authentication request     unencrypted even if SSL was required (aka Ridddle)     (bsc#1029396).

  - CVE-2017-3308: Unspecified vulnerability in Server: DML     (boo#1034850)

  - CVE-2017-3309: Unspecified vulnerability in Server:
    Optimizer (boo#1034850)

  - CVE-2017-3329: Unspecified vulnerability in Server:
    Thread (boo#1034850)

  - CVE-2017-3453: Unspecified vulnerability in Server:
    Optimizer (boo#1034850)

  - CVE-2017-3456: Unspecified vulnerability in Server: DML     (boo#1034850)

  - CVE-2017-3461: Unspecified vulnerability in Server:
    Security (boo#1034850)

  - CVE-2017-3462: Unspecified vulnerability in Server:
    Security (boo#1034850)

  - CVE-2017-3463: Unspecified vulnerability in Server:
    Security (boo#1034850)

  - CVE-2017-3464: Unspecified vulnerability in Server: DDL     (boo#1034850)

  - CVE-2017-3302: Crash in libmysqlclient.so (bsc#1022428).

  - CVE-2017-3450: Unspecified vulnerability Server:
    Memcached

  - CVE-2017-3452: Unspecified vulnerability Server:
    Optimizer

  - CVE-2017-3599: Unspecified vulnerability Server:
    Pluggable Auth

  - CVE-2017-3600: Unspecified vulnerability in Client:
    mysqldump (boo#1034850)

  - '--ssl-mode=REQUIRED' can be specified to require a     secure connection (it fails if a secure connection     cannot be obtained)

These non-security issues were fixed :

  - Set the default umask to 077 in mysql-systemd-helper     (boo#1020976)

  - Change permissions of the configuration dir/files to     755/644. Please note that storing the password in the     /etc/my.cnf file is not safe. Use for example an option     file that is accessible only by yourself (boo#889126)

For more information please see http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html

This update for mysql to version 5.5.55 fixes the following issues:
These security issues were fixed :

  - CVE-2017-3308: Unspecified vulnerability in Server: DML     (bsc#1034850)

  - CVE-2017-3309: Unspecified vulnerability in Server:
    Optimizer (bsc#1034850)

  - CVE-2017-3329: Unspecified vulnerability in Server:
    Thread (bsc#1034850)

  - CVE-2017-3600: Unspecified vulnerability in Client:
    mysqldump (bsc#1034850)

  - CVE-2017-3453: Unspecified vulnerability in Server:
    Optimizer (bsc#1034850)

  - CVE-2017-3456: Unspecified vulnerability in Server: DML     (bsc#1034850)

  - CVE-2017-3463: Unspecified vulnerability in Server:
    Security (bsc#1034850)

  - CVE-2017-3462: Unspecified vulnerability in Server:
    Security (bsc#1034850)

  - CVE-2017-3461: Unspecified vulnerability in Server:
    Security (bsc#1034850)

  - CVE-2017-3464: Unspecified vulnerability in Server: DDL     (bsc#1034850)

  - CVE-2017-3305: MySQL client sent authentication request     unencrypted even if SSL was required (aka Ridddle)     (bsc#1029396).

  - CVE-2016-5483: Mysqldump failed to properly quote     certain identifiers in SQL statements written to the     dump output, allowing for execution of arbitrary     commands (bsc#1029014)

  - '--ssl-mode=REQUIRED' can be specified to require a     secure connection (it fails if a secure connection     cannot be obtained)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.55 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04 have been updated to MySQL 5.7.18.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618 .html.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.55, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details :

  -     https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5
    -55.html
  -     http://www.oracle.com/technetwork/security-advisory/cpua     pr2017-3236618.html

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.55, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details :

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618 .html

For Debian 7 'Wheezy', these problems have been fixed in version 5.5.55-0+deb7u1.

We recommend that you upgrade your mysql-5.5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of MySQL running on the remote host is 5.6.x prior to 5.6.36. It is, therefore, affected by multiple vulnerabilities :

  - A use-after-free error exists in the     mysql_prune_stmt_list() function in client.c that allows     an authenticated, remote attacker to cause a denial of     service condition. (CVE-2017-3302)

  - A carry propagation error exists in the OpenSSL     component in the Broadwell-specific Montgomery     multiplication procedure when handling input lengths     divisible by but longer than 256 bits. This can result     in transient authentication and key negotiation failures     or reproducible erroneous outcomes of public-key     operations with specially crafted input. A     man-in-the-middle attacker can possibly exploit this     issue to compromise ECDH key negotiations that utilize     Brainpool P-512 curves. (CVE-2016-7055)

  - An authentication information disclosure vulnerability,     known as Riddle, exists due to authentication being     performed prior to security parameter verification. A     man-in-the-middle (MitM) attacker can exploit this     vulnerability to disclose sensitive authentication     information, which the attacker can later use for     authenticating to the server. (CVE-2017-3305)

  - Multiple unspecified flaws exist in the DML subcomponent     that allow an authenticated, remote attacker to cause a     denial of service condition. (CVE-2017-3308,     CVE-2017-3456)

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3309, CVE-2017-3452, CVE-2017-3453)

  - An unspecified flaw exists in the Thread Pooling     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3329)

  - An unspecified flaw exists in the Memcached subcomponent     that allows an unauthenticated, remote attacker to cause     a denial of service condition. (CVE-2017-3450)

  - Multiple unspecified flaws exist in the     'Security: Privileges' subcomponent that allow an     authenticated, remote attacker to cause a denial of     service condition. (CVE-2017-3461, CVE-2017-3462,     CVE-2017-3463)

  - An unspecified flaw exists in the DDL subcomponent that     allows an authenticated, remote attacker to update,     insert, or delete data contained in the database.
    (CVE-2017-3464)

  - An unspecified flaw exists in the Pluggable Auth     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3599)

  - An unspecified flaw exists in the 'Client mysqldump'     subcomponent that allows an authenticated, remote     attacker to execute arbitrary code. (CVE-2017-3600)

  - An out-of-bounds read error exists in the OpenSSL     component when handling packets using the     CHACHA20/POLY1305 or RC4-MD5 ciphers. An     unauthenticated, remote attacker can exploit this, via     specially crafted truncated packets, to cause a denial     of service condition. (CVE-2017-3731)

  - A carry propagating error exists in the OpenSSL     component in the x86_64 Montgomery squaring     implementation that may cause the BN_mod_exp() function     to produce incorrect results. An unauthenticated, remote     attacker with sufficient resources can exploit this to     obtain sensitive information regarding private keys.
    (CVE-2017-3732)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MySQL running on the remote host is 5.5.x prior to 5.5.55. It is, therefore, affected by multiple vulnerabilities :

  - A use-after-free error exists in the     mysql_prune_stmt_list() function in client.c that allows     an authenticated, remote attacker to cause a denial of     service condition. (CVE-2017-3302)

  - An authentication information disclosure vulnerability,     known as Riddle, exists due to authentication being     performed prior to security parameter verification. A     man-in-the-middle (MitM) attacker can exploit this     vulnerability to disclose sensitive authentication     information, which the attacker can later use for     authenticating to the server. (CVE-2017-3305)

  - Multiple unspecified flaws exist in the DML subcomponent     that allow an authenticated, remote attacker to cause a     denial of service condition. (CVE-2017-3308,     CVE-2017-3456)

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3309, CVE-2017-3453)

  - An unspecified flaw exists in the Thread Pooling     subcomponent that allows an unauthenticated, remote     attacker to update, insert, or delete data contained in     the database. (CVE-2017-3329)

  - Multiple unspecified flaws exist in the     'Security: Privileges' subcomponent that allow an     authenticated, remote attacker to cause a denial of     service condition. (CVE-2017-3461, CVE-2017-3462,     CVE-2017-3463)

  - An unspecified flaw exists in the DDL subcomponent that     allows an authenticated, remote attacker to update,     insert, or delete data contained in the database.
    (CVE-2017-3464)

  - An unspecified flaw exists in the 'Client mysqldump'     subcomponent that allows an authenticated, remote     attacker to execute arbitrary code. (CVE-2017-3600)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MySQL running on the remote host is 5.6.x prior to 5.6.36. It is, therefore, affected by multiple vulnerabilities :

  - A carry propagation error exists in the OpenSSL     component in the Broadwell-specific Montgomery     multiplication procedure when handling input lengths     divisible by but longer than 256 bits. This can result     in transient authentication and key negotiation failures     or reproducible erroneous outcomes of public-key     operations with specially crafted input. A     man-in-the-middle attacker can possibly exploit this     issue to compromise ECDH key negotiations that utilize     Brainpool P-512 curves. (CVE-2016-7055)

  - An authentication information disclosure vulnerability,     known as Riddle, exists due to authentication being     performed prior to security parameter verification. A     man-in-the-middle (MitM) attacker can exploit this     vulnerability to disclose sensitive authentication     information, which the attacker can later use for     authenticating to the server. (CVE-2017-3305)

  - Multiple unspecified flaws exist in the DML subcomponent     that allow an authenticated, remote attacker to cause a     denial of service condition. (CVE-2017-3308,     CVE-2017-3456)

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3309, CVE-2017-3452, CVE-2017-3453)

  - An unspecified flaw exists in the Thread Pooling     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3329)

  - An unspecified flaw exists in the Memcached subcomponent     that allows an unauthenticated, remote attacker to cause     a denial of service condition. (CVE-2017-3450)

  - Multiple unspecified flaws exist in the     'Security: Privileges' subcomponent that allow an     authenticated, remote attacker to cause a denial of     service condition. (CVE-2017-3461, CVE-2017-3462,     CVE-2017-3463)

  - An unspecified flaw exists in the DDL subcomponent that     allows an authenticated, remote attacker to update,     insert, or delete data contained in the database.
    (CVE-2017-3464)

  - An unspecified flaw exists in the Pluggable Auth     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3599)

  - An unspecified flaw exists in the 'Client mysqldump'     subcomponent that allows an authenticated, remote     attacker to execute arbitrary code. (CVE-2017-3600)

  - An out-of-bounds read error exists in the OpenSSL     component when handling packets using the     CHACHA20/POLY1305 or RC4-MD5 ciphers. An     unauthenticated, remote attacker can exploit this, via     specially crafted truncated packets, to cause a denial     of service condition. (CVE-2017-3731)

  - A carry propagating error exists in the OpenSSL     component in the x86_64 Montgomery squaring     implementation that may cause the BN_mod_exp() function     to produce incorrect results. An unauthenticated, remote     attacker with sufficient resources can exploit this to     obtain sensitive information regarding private keys.
    (CVE-2017-3732)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Oracle reports :

This Critical Patch Update contains 39 new security fixes for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

ID	Name	Product	Family	Severity
100039	openSUSE Security Update : mysql-community-server (openSUSE-2017-555) (Riddle)	Nessus	SuSE Local Security Checks	high
99760	SUSE SLES11 Security Update : mysql (SUSE-SU-2017:1137-1) (Riddle)	Nessus	SuSE Local Security Checks	medium
99723	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : mysql-5.5, mysql-5.7 vulnerabilities (USN-3269-1) (Riddle)	Nessus	Ubuntu Local Security Checks	high
99675	Debian DSA-3834-1 : mysql-5.5 - security update (Riddle)	Nessus	Debian Local Security Checks	medium
99673	Debian DLA-916-1 : mysql-5.5 security update (Riddle)	Nessus	Debian Local Security Checks	medium
99515	MySQL 5.6.x < 5.6.36 Multiple Vulnerabilities (April 2017 CPU) (July 2017 CPU) (Riddle)	Nessus	Databases	medium
99514	MySQL 5.5.x < 5.5.55 Multiple Vulnerabilities (April 2017 CPU) (Riddle)	Nessus	Databases	medium
99512	MySQL 5.6.x < 5.6.36 Multiple Vulnerabilities (April 2017 CPU) (July 2017 CPU) (Riddle)	Nessus	Databases	medium
99510	MySQL 5.5.x < 5.5.55 Multiple Vulnerabilities (April 2017 CPU) (Riddle)	Nessus	Databases	medium
99497	FreeBSD : MySQL -- multiple vulnerabilities (d9e01c35-2531-11e7-b291-b499baebfeaf) (Riddle)	Nessus	FreeBSD Local Security Checks	high

CVE-2017-3305

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins