Percona Toolkit Information Disclosure VulnerabilityThu 09 August 2018 by feld
Percona includes an information disclosure vulnerability in the form of a "version check" feature in many of their products. Every time you run a database backup with xtrabackup or use any of the Percona Toolkit scripts the following information is collected and posted to https://v.percona.com:
- OS Platform and Version
- Perl version and version of modules
- MySQL database version
- Hostname of your server, obfuscated with md5_hex()
- Presumably your IP address, visible in the logs
You can find where it was added to xtrabackup with this commit. This same code is duplicated throughout the Percona Toolkit scripts.
CVE-2014-2029 was the first CVE for this functionality which was regarding the ability for an attacker to MITM the connection and through injection achieve command execution. Later, CVE-2015-1027 was assigned as the fix of adding HTTPS was susceptible to a downgrade attack. At this time the "feature" that could allow command execution was already removed, but the information leakage was still present.
Nobody seemed to care that Percona was collecting this data, however.
I've contacted the Percona security team and requested that this feature be removed in its entirety. I'm already working on patches to rip it out of the ports/packages on FreeBSD, but you are vulnerable on other platforms. The only available workaround is to ensure that you pass --no-version-check to these utilities to disable this functionality, but most people will not see this blog post or be aware of the data collection being taken place.
Originally the intention of this functionality was to inform the user of available software updates and discover if there are known vulnerabilities in your MySQL software, but that doesn't explain why this information is POSTed to their server. It's simply unacceptable.
vBulletin cannot login without "Remember Me"
If you happen to run a vBulletin forum and hit an issue where you cannot login to the site without first selecting the "Remember Me" checkbox, would you happen to be on CloudFlare or be using a reverse proxy? Make sure for CloudFlare you have the list of their upstream …read more
Git Is Not Revision Control
Book Review: Altered Carbon
Title: Altered Carbon
Author: Morgan K. Richard
Takeshi Kovacs is brought to earth in a sleeve he doesn't own. His reputation precedes him, and he has been offered a reward for solving the murder of Laurens Bancroft which local authorities ruled a suicide...
This book explores some provocative aspects of …read more
Book Review: Invasive
Author: Chuck Wendig
This is a backdated review
Set in the same universe as Zeroes, Invasive explores the possible consequences of research into genetically altered insects (ants). We are already doing this with mosquitoes to try to stop the spread of infectious disease, so this technology is with …read more
FreeBSD Remote Serial Console Access With Dell and Cisco Servers
I have become allergic to Java. It seems every time I need to access a server console my system is throwing fits about Java security. I've spent hours trying to fix a Java issue which was preventing me from fixing a server I needed console access to. I will show …read more
Using FreeBSD as a Time Capsule for OSX
I've had both a coworker and a FreeBSD developer ask me recently how to use FreeBSD as a Time Capsule for Time Machine from OSX. There are a lot of tutorials out there and most of them are non-functional. This is possibly the simplest guide that is known to be …read more
Generating DDNS TSIG Keys for BIND
The tutorials on how to generate TSIG keys for BIND DDNS updates suck. It would also be tedious if tasked to generate several. I'm not sure why ISC has not produced a standalone script or utility to make this easier as nobody should have to piece it together by hand …read more
Speeding up MySQL Import on FreeBSD
I was recently tasked with rebuilding a readonly slave database server which only slaves a couple of the available databases. The backup/dump is straightforward and fast, but the restore was being excruciatingly slow. I didn't want to wait a week for this thing to finish, so I had to …read more
Monitoring FreeBSD Base System Vulnerabilities with pkg audit
The FreeBSD base system has been difficult to monitor for published vulnerabilities for a long time. This will improve when we achieve a packaged base system, but that leaves users of currently supported -RELEASE systems without a standardized option.
The freebsd-version(1) utility has existed since FreeBSD 10.0. This …read more