Security Experts:

MySQL SSL/TLS Connections at Risk Due to BACKRONYM Flaw

MySQL, Oracle’s relational database management system, is plagued by a vulnerability that can be exploited to downgrade SSL/TLS connections, according to researchers at Duo Security.

The vulnerability, dubbed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL), can be exploited by an attacker to intercept database queries and results, and manipulate the contents of a database even if the user attempts to encrypt traffic, researchers said.

The problem is that the use of SSL cannot be enforced for MySQL connections. This allows an attacker positioned between the MySQL client and server (man-in-the-middle) to intercept the connection, downgrade it, and communicate with the client in plain text. This is similar to the sslstrip attack demonstrated by security expert Moxie Marlinspike a few years ago.

Even if the “REQUIRE SSL” option is used by the server, an MitM attacker can act as a proxy between the client and the server. This enables him to downgrade the connection between the client and the proxy to keep MySQL traffic unencrypted, while encrypting the traffic between the proxy and the server.

“The vulnerability lies within the behaviour of the '--ssl' client option, which on affected versions it is being treated as ‘advisory’. Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently ‘strip’ the SSL/TLS protection,” the Open Source Computer Security Incident Response Team (oCERT) explained in an advisory. “The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options ('--ssl-xxx') that imply '--ssl'.”

While in many cases it’s not easy to pull off an MitM attack, Duo Security believes an even more serious threat is posed by resourceful attackers with passive monitoring capabilities, such as the NSA.

“Many MySQL clients will use a DNS hostname (eg. db1.app.company.com) to connect to the database server, triggering a DNS query that may traverse monitored links on the Internet. A global passive adversary like the NSA can spoof a reply to this DNS request in order to hijack the MySQL connection, perform the downgrade, and steal/manipulate database contents,” Duo Security explained on a website set up specially for the BACKRONYM bug. “Programs like the NSA's QUANTUM project (specifically QUANTUMDNS) have shown that DNS spoofing and man-on-the-side attacks are commonly exploited by intelligence agencies.”

The vulnerability affects not only MySQL, but also Connector/C (libmysqlclient), a client library for C development, and the MariaDB and Percona Server forks.

The MySQL team is aware of this issue and fixed it in December 2013 in the MySQL 5.7.3 preview release. The bug has also been addressed in libmysqlclient 6.1.3. However, most users still utilize MySQL 5.6 since version 5.7.x is not a GA (general availability) release, and in libmysqlclient the fix is in many cases not enabled by default, researchers said.

Since the fix has not been backported to versions of MySQL prior to 5.7.3, users who are unable to upgrade their installations to MySQL 5.7.3 or patch the client-side library are recommended to reduce the exposure of network paths between the client and the server.

“It is unclear if this vulnerability is being exploited in the wild. However, it is reasonable to assume that cyber-arms merchants of death may know about and be exploiting the issue,” Duo Security said.

The vulnerability has been assigned the CVE identifier CVE-2015-3152 (for MariaDB and Percona).

Todd Farmer, Director of Technical Product Management at Oracle MySQL, explained in a blog post that the vulnerability is related to legacy behavior of the '–ssl' option.

Farmer has provided some additional options for securing connections over untrusted networks, including the use of the “REQUIRE X509” option, and the use of SSH tunnels. He also pointed out that just because the 5.7 branch is a release candidate, there is no reason why users can’t just utilize the client programs in the package that enforce TLS connections. Farmer says they work “just fine” with MySQL 5.5 and 5.6 servers.

“The legacy behavior that prevents clients from requiring TLS connections is clearly undesirable, but Oracle takes great pains to avoid behavioral changes in maintenance releases for already-GA products,” Farmer said. “For that reason, the –ssl option was redefined to require TLS only in 5.7, where it accompanies a change that makes TLS preferred by default. The latter change has potential significant impacts to users and third-party products, and cannot be reasonably back-ported to 5.5 or 5.6. However, we are considering back-porting the change which redefines –ssl to mean ‘TLS is required’ to these versions.”

*Updated with clarifications from Oracle's Todd Farmer

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.