Percona Toolkit Information Disclosure Vulnerability

Thu 09 August 2018 by feld

Percona includes an information disclosure vulnerability in the form of a "version check" feature in many of their products. Every time you run a database backup with xtrabackup or use any of the Percona Toolkit scripts the following information is collected and posted to

  • OS Platform and Version
  • Perl version and version of modules
  • MySQL database version
  • Hostname of your server, obfuscated with md5_hex()
  • Presumably your IP address, visible in the logs

You can find where it was added to xtrabackup with this commit. This same code is duplicated throughout the Percona Toolkit scripts.

CVE-2014-2029 was the first CVE for this functionality which was regarding the ability for an attacker to MITM the connection and through injection achieve command execution. Later, CVE-2015-1027 was assigned as the fix of adding HTTPS was susceptible to a downgrade attack. At this time the "feature" that could allow command execution was already removed, but the information leakage was still present.

Nobody seemed to care that Percona was collecting this data, however.

I've contacted the Percona security team and requested that this feature be removed in its entirety. I'm already working on patches to rip it out of the ports/packages on FreeBSD, but you are vulnerable on other platforms. The only available workaround is to ensure that you pass --no-version-check to these utilities to disable this functionality, but most people will not see this blog post or be aware of the data collection being taken place.

Originally the intention of this functionality was to inform the user of available software updates and discover if there are known vulnerabilities in your MySQL software, but that doesn't explain why this information is POSTed to their server. It's simply unacceptable.