Percona includes an information disclosure vulnerability in the form of a "version check" feature in many of their products. Every time you run a database backup with xtrabackup or use any of the Percona Toolkit scripts the following information is collected and posted to https://v.percona.com:

  • OS Platform and Version
  • Perl version and version of modules
  • MySQL database version
  • Hostname of your server, obfuscated with md5_hex()
  • Presumably your IP address, visible in the logs

You can find where it was added to xtrabackup with this commit. This same code is duplicated throughout the Percona Toolkit scripts.

CVE-2014-2029 was the first CVE for this functionality which was regarding the ability for an attacker to MITM the connection and through injection achieve command execution. Later, CVE-2015-1027 was assigned as the fix of adding HTTPS was susceptible to a downgrade attack. At this time the "feature" that could allow command execution was already removed, but the information leakage was still present.

Nobody seemed to care that Percona was collecting this data, however.

I've contacted the Percona security team and requested that this feature be removed in its entirety. I'm already working on patches to rip it out of the ports/packages on FreeBSD, but you are vulnerable on other platforms. The only available workaround is to ensure that you pass --no-version-check to these utilities to disable this functionality, but most people will not see this blog post or be aware of the data collection being taken place.

Originally the intention of this functionality was to inform the user of available software updates and discover if there are known vulnerabilities in your MySQL software, but that doesn't explain why this information is POSTed to their server. It's simply unacceptable.


vBulletin cannot login without "Remember Me"

Wed 25 July 2018 by feld

If you happen to run a vBulletin forum and hit an issue where you cannot login to the site without first selecting the "Remember Me" checkbox, would you happen to be on CloudFlare or be using a reverse proxy? Make sure for CloudFlare you have the list of their upstream …

read more

Git Is Not Revision Control

Sun 21 January 2018 by feld

Git has always rubbed me the wrong way. The ability to rewrite history and not tracking file renames are a few of the reasons it has turned me sour, not to mention the awful inconsistent UX as brilliantly mocked in Git Koans. I'm not objective enough to come up with …

read more

FreeBSD Remote Serial Console Access With Dell and Cisco Servers

Mon 01 May 2017 by feld

I have become allergic to Java. It seems every time I need to access a server console my system is throwing fits about Java security. I've spent hours trying to fix a Java issue which was preventing me from fixing a server I needed console access to. I will show …

read more

Using FreeBSD as a Time Capsule for OSX

Mon 19 December 2016 by feld

I've had both a coworker and a FreeBSD developer ask me recently how to use FreeBSD as a Time Capsule for Time Machine from OSX. There are a lot of tutorials out there and most of them are non-functional. This is possibly the simplest guide that is known to be …

read more

Generating DDNS TSIG Keys for BIND

Thu 15 December 2016 by feld

The tutorials on how to generate TSIG keys for BIND DDNS updates suck. It would also be tedious if tasked to generate several. I'm not sure why ISC has not produced a standalone script or utility to make this easier as nobody should have to piece it together by hand …

read more

Speeding up MySQL Import on FreeBSD

Wed 28 September 2016 by feld

I was recently tasked with rebuilding a readonly slave database server which only slaves a couple of the available databases. The backup/dump is straightforward and fast, but the restore was being excruciatingly slow. I didn't want to wait a week for this thing to finish, so I had to …

read more

Monitoring FreeBSD Base System Vulnerabilities with pkg audit

Fri 12 August 2016 by feld

The FreeBSD base system has been difficult to monitor for published vulnerabilities for a long time. This will improve when we achieve a packaged base system, but that leaves users of currently supported -RELEASE systems without a standardized option.

The freebsd-version(1) utility has existed since FreeBSD 10.0. This …

read more

Java KVM Troubles on OSX

Thu 30 June 2016 by feld

I was having troubles on OSX getting access to the KVM at work which is a Dell KVM 4322DS. The connection errors from Java about security settings were not resolved by whitelisting the site in the Java console. Turns out newer Java disables some SSL/TLS algorithms and settings that …

read more

Fixing Time Machine / Netatalk (error (null))

Fri 19 February 2016 by feld

Recently I was setting up a new Time Machine backup on my wife's MacBook so it would use my FreeBSD/ZFS server. My own personal MacBook was already backing up to it successfully and has been for quite some time. When I attempted to start a new backup to the …

read more