Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

MySQL SSL/TLS Connections at Risk Due to BACKRONYM Flaw

MySQL, Oracle’s relational database management system, is plagued by a vulnerability that can be exploited to downgrade SSL/TLS connections, according to researchers at Duo Security.

MySQL, Oracle’s relational database management system, is plagued by a vulnerability that can be exploited to downgrade SSL/TLS connections, according to researchers at Duo Security.

The vulnerability, dubbed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL), can be exploited by an attacker to intercept database queries and results, and manipulate the contents of a database even if the user attempts to encrypt traffic, researchers said.

The problem is that the use of SSL cannot be enforced for MySQL connections. This allows an attacker positioned between the MySQL client and server (man-in-the-middle) to intercept the connection, downgrade it, and communicate with the client in plain text. This is similar to the sslstrip attack demonstrated by security expert Moxie Marlinspike a few years ago.

Even if the “REQUIRE SSL” option is used by the server, an MitM attacker can act as a proxy between the client and the server. This enables him to downgrade the connection between the client and the proxy to keep MySQL traffic unencrypted, while encrypting the traffic between the proxy and the server.

“The vulnerability lies within the behaviour of the ‘–ssl’ client option, which on affected versions it is being treated as ‘advisory’. Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently ‘strip’ the SSL/TLS protection,” the Open Source Computer Security Incident Response Team (oCERT) explained in an advisory. “The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options (‘–ssl-xxx’) that imply ‘–ssl’.”

While in many cases it’s not easy to pull off an MitM attack, Duo Security believes an even more serious threat is posed by resourceful attackers with passive monitoring capabilities, such as the NSA.

“Many MySQL clients will use a DNS hostname (eg. db1.app.company.com) to connect to the database server, triggering a DNS query that may traverse monitored links on the Internet. A global passive adversary like the NSA can spoof a reply to this DNS request in order to hijack the MySQL connection, perform the downgrade, and steal/manipulate database contents,” Duo Security explained on a website set up specially for the BACKRONYM bug. “Programs like the NSA’s QUANTUM project (specifically QUANTUMDNS) have shown that DNS spoofing and man-on-the-side attacks are commonly exploited by intelligence agencies.”

The vulnerability affects not only MySQL, but also Connector/C (libmysqlclient), a client library for C development, and the MariaDB and Percona Server forks.

Advertisement. Scroll to continue reading.

The MySQL team is aware of this issue and fixed it in December 2013 in the MySQL 5.7.3 preview release. The bug has also been addressed in libmysqlclient 6.1.3. However, most users still utilize MySQL 5.6 since version 5.7.x is not a GA (general availability) release, and in libmysqlclient the fix is in many cases not enabled by default, researchers said.

Since the fix has not been backported to versions of MySQL prior to 5.7.3, users who are unable to upgrade their installations to MySQL 5.7.3 or patch the client-side library are recommended to reduce the exposure of network paths between the client and the server.

“It is unclear if this vulnerability is being exploited in the wild. However, it is reasonable to assume that cyber-arms merchants of death may know about and be exploiting the issue,” Duo Security said.

The vulnerability has been assigned the CVE identifier CVE-2015-3152 (for MariaDB and Percona).

Todd Farmer, Director of Technical Product Management at Oracle MySQL, explained in a blog post that the vulnerability is related to legacy behavior of the ‘–ssl’ option.

Farmer has provided some additional options for securing connections over untrusted networks, including the use of the “REQUIRE X509” option, and the use of SSH tunnels. He also pointed out that just because the 5.7 branch is a release candidate, there is no reason why users can’t just utilize the client programs in the package that enforce TLS connections. Farmer says they work “just fine” with MySQL 5.5 and 5.6 servers.

“The legacy behavior that prevents clients from requiring TLS connections is clearly undesirable, but Oracle takes great pains to avoid behavioral changes in maintenance releases for already-GA products,” Farmer said. “For that reason, the –ssl option was redefined to require TLS only in 5.7, where it accompanies a change that makes TLS preferred by default. The latter change has potential significant impacts to users and third-party products, and cannot be reasonably back-ported to 5.5 or 5.6. However, we are considering back-porting the change which redefines –ssl to mean ‘TLS is required’ to these versions.”

*Updated with clarifications from Oracle’s Todd Farmer

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.