Percona includes an information disclosure vulnerability in the form of a "version check" feature in many of their products. Every time you run a database backup with xtrabackup or use any of the Percona Toolkit scripts the following information is collected and posted to

  • OS Platform and Version
  • Perl version and version of modules
  • MySQL database version
  • Hostname of your server, obfuscated with md5_hex()
  • Presumably your IP address, visible in the logs

You can find where it was added to xtrabackup with this commit. This same code is duplicated throughout the Percona Toolkit scripts.

CVE-2014-2029 was the first CVE for this functionality which was regarding the ability for an attacker to MITM the connection and through injection achieve command execution. Later, CVE-2015-1027 was assigned as the fix of adding HTTPS was susceptible to a downgrade attack. At this time the "feature" that could allow command execution was already removed, but the information leakage was still present.

Nobody seemed to care that Percona was collecting this data, however.

I've contacted the Percona security team and requested that this feature be removed in its entirety. I'm already working on patches to rip it out of the ports/packages on FreeBSD, but you are vulnerable on other platforms. The only available workaround is to ensure that you pass --no-version-check to these utilities to disable this functionality, but most people will not see this blog post or be aware of the data collection being taken place.

Originally the intention of this functionality was to inform the user of available software updates and discover if there are known vulnerabilities in your MySQL software, but that doesn't explain why this information is POSTed to their server. It's simply unacceptable.

Monitoring FreeBSD Base System Vulnerabilities with pkg audit

Fri 12 August 2016 by feld

The FreeBSD base system has been difficult to monitor for published vulnerabilities for a long time. This will improve when we achieve a packaged base system, but that leaves users of currently supported -RELEASE systems without a standardized option.

The freebsd-version(1) utility has existed since FreeBSD 10.0. This …

read more

Kindly Subverting POODLE

Wed 15 October 2014 by feld

Let's pretend for a moment you live in a world where you need to protect your customers from POODLE without completely breaking access for IE6 users. Scary errors or a complete failure to connect to the server are not options. Well then, this blog post is for you!

This solution …

read more