--version-check behaves like spyware

Bug #1279502 reported by Maciej Dobrzanski
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Percona Toolkit moved to https://jira.percona.com/projects/PT
Fix Released
High
Daniel Nichter
2.0
Invalid
Undecided
Daniel Nichter
2.1
Fix Released
High
Daniel Nichter
2.2
Fix Released
High
Daniel Nichter
Percona XtraBackup moved to https://jira.percona.com/projects/PXB
Opinion
Undecided
Unassigned

Bug Description

Percona Toolkit 2.1 introduced --version-check to warn user about known vulnerabilities in the local MySQL instance and to check for PT updates. When this option is enabled - and it is enabled by default(!) - various information about local MySQL as well as other system binaries and packages are submitted to Percona along with the server's IP address. This not only exposes possibly sensitive information, but also does so without bringing it to user's attention or asking for their consent.

It gets worse. The configuration for what information PT tools should collect is not hardcoded in the scripts. Instead, every time it's downloaded from http://v.percona.com/. One of the possible parameters is a binary file name to be executed, i.e. Percona can remotely execute arbitrary command - again, without making user aware of what or when is being executed. To be fair, the ability to run commands is limited to running "command -v", however that's only under the assumption that the command filters will always work. The configuration can also ask for any MySQL variable - not just the version string.

In my opinion --version-check should never be enabled by default and if user wants to keep it enabled, the configuration (i.e. the list of checks) should be hardcoded and explicitly listed, and not downloaded from a remote location.

Current workaround: To avoid confidential information being exposed, always use --no-version-check with every PT tool that includes 'version-check' feature (e.g. pt-query-digest, pt-diskstats).

CVE References

description: updated
description: updated
Revision history for this message
Alexey Kopytov (akopytov) wrote :

Adding XtraBackup as an affected project. I agree, the decision to enable VersionCheck by default in PXB was dubious. I see no problems in reverting it if many people are unhappy about the current behavior.

Changed in percona-xtrabackup:
status: New → Opinion
Revision history for this message
Alexey Kopytov (akopytov) wrote :

See also comments in bug #1255451.

summary: - Percona Toolkit behaves like spyware
+ VersionCheck behaves like spyware
Changed in percona-toolkit:
assignee: nobody → Daniel Nichter (daniel-nichter)
tags: added: all-tools version-check
Revision history for this message
Daniel Nichter (daniel-nichter) wrote : Re: VersionCheck behaves like spyware

Clarification: PT 2.1 --version-check is OFF by default. It's on by default only in 2.2 (and only for certain tools).

Revision history for this message
Matt Griffin (mattgriffin) wrote :

@Maciek: Thanks for the report. We're looking into it and will reply soon.

summary: - VersionCheck behaves like spyware
+ --version-check behaves like spyware
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This is CVE-2014-2029; see http://www.openwall.com/lists/oss-security/2014/02/19/14 for details.

Thanks

Revision history for this message
Alexey Kopytov (akopytov) wrote :

The command execution part has been reported separately as bug #1285166 and will be fixed in PXB 2.1.8.

Revision history for this message
Matt Griffin (mattgriffin) wrote :

@Maciek and @Seth: The fix for this has been released in Percona Toolkit 2.2.7. http://www.mysqlperformanceblog.com/2014/02/25/percona-toolkit-2-2-7-now-available/

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PXB-1274

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PT-374

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.