Cryptographic API Misuse Vulnerability: AES ECB used for configuration

[gxx777]

Description: I have identified a security vulnerability in the mycli project's use of AES ECB (Electronic Codebook) mode for configuration. This vulnerability can potentially expose sensitive information and compromise the security of the application.

Locations:

1. https://github.com/dbcli/mycli/blob/main/mycli/config.py#L192
2. https://github.com/dbcli/mycli/blob/main/mycli/config.py#L270

Version: mycli <= 1.27.0

Expected Behavior: Instead of using AES ECB, it is recommended to use more secure encryption modes, such as AES CBC (Cipher Block Chaining) or AES GCM (Galois/Counter Mode), for configuration in order to enhance the security of mycli.

Actual Behavior: Upon inspecting the config.py file, it has been found that AES ECB mode is used for configuration at line 192 and line 270. AES ECB does not provide adequate security due to its lack of diffusion and pattern repetition, making it vulnerable to certain attacks.

Recommendations: It is strongly recommended to update the mycli project's code at line 192 and line 270 in the config.py file to use more secure encryption modes, such as AES CBC or AES GCM, for configuration. This will help mitigate the potential security risks associated with using AES ECB.Otherwise,the cryprography.io(https://cryptography.io/) crypto library is a good programming practices.

Additional Information: Please note that using AES ECB for configuration can lead to information leakage and compromise the confidentiality of sensitive data stored within mycli. Upgrading to a more secure encryption mode will significantly enhance the security posture of the application.

[gxx777]

The affected version for this CVE entry is mycli 1.27.0.

[terjeros]

Code in mycli merely implement the format defined in MySQL mysql_config_editor tool:

https://dev.mysql.com/doc/refman/8.0/en/mysql-config-editor.html https://github.com/mysql/mysql-server/blob/trunk/client/mysql_config_editor.cc

You suggest code in mycli can at the same time avoid using unsafe modes and still be compatible with that tool?

[carnil]

Appears that CVE-2023-44690 is assigned for this issue.

[pdeslaur]

This CVE does appear to be a false positive. I'd recommend that a project maintainer contact the CVE program to dispute this CVE.

• Contact form: https://cveform.mitre.org/
• Select a request type "Request an update to an existing CVE Entry."
• Type of update requested: "Rejection"
• Fill out CVE ID + Rationale

As @terjeros pointed out, MySQL uses AES ECB for this specific purpose, and this library is compatible with MySQL.

@gxx777 - I'd recommend contacting the MySQL server project to discuss the use of AES ECB by the MySQL Configuration Utility to determine if it should be considered a vulnerability!