[Bug 1997691] [NEW] libmysqlcppconn7v5: broken TLS configuration allows insecure connections without any warnings

Thomas Dreibholz 1997691 at bugs.launchpad.net
Thu Nov 24 10:09:21 UTC 2022 

Public bug reported:

I wrote a small test program to test the client connectivity with
libmysqlcppconn7v5 (tested on Ubuntu 20.04 LTS) to an up-to MariaDB
server (Ubuntu 22.10 LTS). The MariaDB server was explicitly configured
to not use TLS. The test client is configured to enforce TLS, i.e.:

sql::ConnectOptionsMap connectionProperties;
...
connectionProperties["sslVerify"] = true;
connectionProperties["sslEnforce"]= true;

Without any warning, it succeeds to connect to the insecure MariaDB
server, i.e. leaving the connection insecure without any error or
warning!

Analysing the sources of libmysqlcppconn7v5 (libmysqlcppconn7v5-dev,
i.e. mysql-connector-c++-1.1.12), I found a line where the option
MYSQL_OPT_SSL_MODE (used by the underlying MySQL library) is explicitly
commented out. Changing this seems to fix the issue:

diff -r mysql-connector-c++-1.1.12.orig/driver/nativeapi/mysql_native_connection_wrapper.cpp mysql-connector-c++-1.1.12/driver/nativeapi/mysql_native_connection_wrapper.cpp
100c100
<   //case sql::mysql::MYSQL_OPT_SSL_MODE: return ::MYSQL_OPT_SSL_MODE;
---
>   case sql::mysql::MYSQL_OPT_SSL_MODE: return ::MYSQL_OPT_SSL_MODE;

That is, the client now, as intended, rejects the insecure connection.

This bug is a major security issue, allowing MitM attacks on any client
application using libmysqlcppconn7v5.

** Affects: mysql-connector-c++ (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public

** Package changed: firefox (Ubuntu) => mysql-connector-c++ (Ubuntu)

** Information type changed from Public to Public Security

** Attachment removed: "IpAddr.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632588/+files/IpAddr.txt

** Attachment removed: "IpRoute.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632589/+files/IpRoute.txt

** Attachment removed: "CurrentDmesg.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632586/+files/CurrentDmesg.txt

** Attachment removed: "PulseList.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632596/+files/PulseList.txt

** Attachment removed: "Profile0Prefs.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632595/+files/Profile0Prefs.txt

** Attachment removed: "AlsaInfo.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632585/+files/AlsaInfo.txt

** Attachment removed: "ProcStatus.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632594/+files/ProcStatus.txt

** Attachment removed: "ProcMaps.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632593/+files/ProcMaps.txt

** Attachment removed: "Lspci.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632590/+files/Lspci.txt

** Attachment removed: "PciNetwork.txt"
   https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+attachment/5632591/+files/PciNetwork.txt

** Information type changed from Public Security to Public

** Description changed:

  I wrote a small test program to test the client connectivity with
  libmysqlcppconn7v5 (tested on Ubuntu 20.04 LTS) to an up-to MariaDB
  server (Ubuntu 22.10 LTS). The MariaDB server was explicitly configured
  to not use TLS. The test client is configured to enforce TLS, i.e.:
  
  sql::ConnectOptionsMap connectionProperties;
  ...
  connectionProperties["sslVerify"] = true;
  connectionProperties["sslEnforce"]= true;
  
  Without any warning, it succeeds to connect to the insecure MariaDB
  server, i.e. leaving the connection insecure without any error or
  warning!
  
  Analysing the sources of libmysqlcppconn7v5 (libmysqlcppconn7v5-dev,
  i.e. mysql-connector-c++-1.1.12), I found a line where the option
  MYSQL_OPT_SSL_MODE (used by the underlying MySQL library) is explicitly
  commented out. Changing this seems to fix the issue:
  
  diff -r mysql-connector-c++-1.1.12.orig/driver/nativeapi/mysql_native_connection_wrapper.cpp mysql-connector-c++-1.1.12/driver/nativeapi/mysql_native_connection_wrapper.cpp
  100c100
  <   //case sql::mysql::MYSQL_OPT_SSL_MODE: return ::MYSQL_OPT_SSL_MODE;
  ---
  >   case sql::mysql::MYSQL_OPT_SSL_MODE: return ::MYSQL_OPT_SSL_MODE;
  
  That is, the client now, as intended, rejects the insecure connection.
  
  This bug is a major security issue, allowing MitM attacks on any client
  application using libmysqlcppconn7v5.
- 
- ProblemType: Bug
- DistroRelease: Ubuntu 20.04
- Package: firefox 107.0+build2-0ubuntu0.20.04.1
- ProcVersionSignature: Ubuntu 5.15.0-53.59~20.04.1-generic 5.15.64
- Uname: Linux 5.15.0-53-generic x86_64
- NonfreeKernelModules: nvidia_modeset nvidia
- AddonCompatCheckDisabled: False
- ApportVersion: 2.20.11-0ubuntu27.25
- Architecture: amd64
- AudioDevicesInUse:
-  USER        PID ACCESS COMMAND
-  /dev/snd/controlC0:  dreibh    11483 F.... pulseaudio
-  /dev/snd/controlC1:  dreibh    11483 F.... pulseaudio
- BuildID: 20221110173214
- CasperMD5CheckResult: pass
- Channel: Unavailable
- CurrentDesktop: KDE
- Date: Thu Nov 24 10:50:50 2022
- DefaultProfileExtensions: extensions.sqlite corrupt or missing
- DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
- DefaultProfileLocales: extensions.sqlite corrupt or missing
- DefaultProfilePrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:300
- DefaultProfileThemes: extensions.sqlite corrupt or missing
- ExecutablePath: /usr/lib/firefox/firefox
- ForcedLayersAccel: False
- InstallationDate: Installed on 2021-07-01 (510 days ago)
- InstallationMedia: Ubuntu-Server 20.04.2 LTS "Focal Fossa" - Release amd64 (20210201.2)
- ProcEnviron:
-  LANGUAGE=nb:de:en_US
-  PATH=(custom, no user)
-  XDG_RUNTIME_DIR=<set>
-  LANG=C.UTF-8
-  SHELL=/bin/bash
- Profile0Extensions: extensions.sqlite corrupt or missing
- Profile0IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
- Profile0Locales: extensions.sqlite corrupt or missing
- Profile0PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:300
- Profile0PrefSources: prefs.js
- Profile0Themes: extensions.sqlite corrupt or missing
- Profiles:
-  Profile1 (Default) - LastVersion=None/None (Out of date)
-  Profile0 - LastVersion=107.0/20221110173214 (In use)
- RunningIncompatibleAddons: False
- SourcePackage: firefox
- UpgradeStatus: No upgrade log present (probably fresh install)
- dmi.bios.date: 09/29/2014
- dmi.bios.release: 4.6
- dmi.bios.vendor: Dell Inc.
- dmi.bios.version: A14
- dmi.board.name: 08HPGT
- dmi.board.vendor: Dell Inc.
- dmi.board.version: A01
- dmi.chassis.type: 7
- dmi.chassis.vendor: Dell Inc.
- dmi.modalias: dmi:bvnDellInc.:bvrA14:bd09/29/2014:br4.6:svnDellInc.:pnPrecisionT3600:pvr01:rvnDellInc.:rn08HPGT:rvrA01:cvnDellInc.:ct7:cvr:sku:
- dmi.product.name: Precision T3600
- dmi.product.version: 01
- dmi.sys.vendor: Dell Inc.

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1997691

Title:
  libmysqlcppconn7v5: broken TLS configuration allows insecure
  connections without any warnings

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-connector-c++/+bug/1997691/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list