CVE-2024-7701 – CVE-2024-7701 is a vulnerability in Percona Too... (How to Fix)

📋 TL;DR

CVE-2024-7701 is a vulnerability in Percona Toolkit's pt-secure-collect tool that uses weak password hashing algorithms, allowing attackers to perform brute-force attacks against encrypted data. This affects systems using percona-toolkit version 3.6.0 for data collection and encryption. Database administrators and DevOps teams using this tool for sensitive data handling are primarily affected.

💻 Affected Systems

Products:

percona-toolkit

Versions: 3.6.0

Operating Systems: All platforms running percona-toolkit

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the pt-secure-collect tool when used with encryption. Other percona-toolkit components are not affected.

📦 What is this software?

Toolkit by Percona

View all CVEs affecting Toolkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt sensitive database collection data, potentially exposing credentials, configuration files, or other confidential information stored in encrypted archives.

🟠

Likely Case

Unauthorized access to collected diagnostic or backup data containing database metadata, configuration details, or partial data samples.

🟢

If Mitigated

Limited exposure of non-sensitive diagnostic information with proper access controls and encryption key management.

🌐 Internet-Facing: MEDIUM - While the tool itself may not be internet-facing, encrypted archives could be exposed through file transfers or storage systems.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit weak hashes to access sensitive collected data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires access to encrypted archives and ability to perform hash cracking.

Exploitation requires obtaining encrypted output files from pt-secure-collect operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.1 or later

Vendor Advisory: https://www.percona.com/blog/

Restart Required: No

Instructions:

1. Check current version: pt-version
2. Update via package manager: yum update percona-toolkit or apt-get update && apt-get upgrade percona-toolkit
3. Verify update: pt-version should show 3.6.1 or higher

🔧 Temporary Workarounds

Avoid pt-secure-collect encryption

all

Use alternative encryption methods or avoid encrypting sensitive data with pt-secure-collect

pt-secure-collect --no-encryption

Use external encryption

linux

Collect data without encryption and encrypt using strong algorithms like AES-256

pt-secure-collect --no-encryption | gpg --symmetric --cipher-algo AES256

🧯 If You Can't Patch

Avoid using pt-secure-collect for sensitive data collection
Implement strict access controls on encrypted output files and monitor for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check if percona-toolkit version is 3.6.0: pt-version | grep 'percona-toolkit'

Check Version:

pt-version | grep 'percona-toolkit'

Verify Fix Applied:

Verify version is 3.6.1 or higher: pt-version | grep -E 'percona-toolkit.*3\.6\.([1-9]|[1-9][0-9])'

📡 Detection & Monitoring

Log Indicators:

Failed decryption attempts on pt-secure-collect output files
Unusual access patterns to encrypted archive files

Network Indicators:

Unexpected transfers of encrypted .tar.gz files from database servers

SIEM Query:

source="*pt-secure-collect*" AND (event="encryption" OR event="decryption")

📊 Metadata

CVE ID: CVE-2024-7701

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-916

Published: December 15, 2024

Last Updated: August 5, 2025

🔗 References

https://github.com/percona/percona-toolkit/blob/aa1ac0e6889168fddf73c3a72d447e9ea0c0c63b/src/go/pt-secure-collect/encrypt.go#L17 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7701, you might also want to check these: