EmergencyEMERGENCY? Get 24/7 Help Now!

CVE-2016-6225: Percona Xtrabackup Encryption IV Not Being Set Properly

and  | January 12, 2017 |  Posted In: MySQL, Security

PREVIOUS POST
NEXT POST

CVE-2016-6225If you are using Percona XtraBackup with xbcrypt to create encrypted backups, and are using versions older than 2.3.6 or 2.4.5, we advise that you upgrade Percona XtraBackup.

Note: this does not affect encryption of encrypted InnoDB tables.

CVE-2016-6225

Percona XtraBackup versions older than 2.3.6 or 2.4.5 suffered an issue of not properly setting the Initialization Vector (IV) for encryption. This could allow someone to carry out a Chosen-Plaintext Attack, which could recover decrypted content from the encrypted backup files without the need for a password.

Compatibility

Percona XtraBackup carries backward compatibility to allow for the decryption of older backup files. However, encrypted backup files produced by the versions that have the fix will not be compatible with older versions of Percona XtraBackup.

Applicability

Access to the encrypted files must already be present for exploitation to occur. So long as you adequately protect the encrypted files, we don’t expect this issue to adversely affect users.

Credits

Percona would like to thank and give credit to Ken Takara for discovering this issue and working it through to PoC exploitation.

More Information

Release Notes

PREVIOUS POST
NEXT POST
David Busby

Information Security Architect

Kenny Gryp

Kenny is currently MySQL Practice Manager at Percona.

Leave a Reply