A researcher with Duo Security has identified a vulnerability in MySQL client libraries, as well as forks such as MariaDB and Percona, that could enable an attacker to downgrade MySQL SSL/TLS connections, according to a website created to notify users of the issue.
The vulnerability has been dubbed ‘BACKRONYM,' which stands for Bad Authentication Causes Kritical Risk Over Networks Yikes MySQL, and is considered trivial to exploit so long as certain conditions are met, Jon Oberheide, cofounder and CTO of Duo Security, told SCMagazine.com in Friday email correspondence.
Steve Manzuik, director of security research with Duo Security, later detailed scenarios that would allow exploitation.
“In order to exploit BACKRONYM an attacker must either achieve 'man in the middle' access between the database and client application (MySQL client is the piece that is vulnerable) or perform an attack on DNS that allows the attacker to redirect traffic to hosts under the attacker's control,” Manzuik wrote in a Friday email to SCMagazine.com.
At this point, all an attacker would have to do is tell the client not to use TLS encryption and they would have the ability to see all communications in clear text, thus exposing the database, Manzuik said, adding they would also be able to manipulate the data.
“An attacker would be able to snoop on the communication between the MySQL client and server, exposing confidential data (PII [personally identifiable information], usernames/passwords, etc) in the database,” Oberheide said. “More critically, the attacker would also be able to inject their own SQL commands, allowing them to steal or directly manipulate the contents of the entire database.”
To address the issue, IT administrators and developers should upgrade their MySQL client software to version 5.7.3, Oberheide said. Risk can also be mitigated by ensuring access to database servers are properly restricted, which could be done using IP Access Control Lists.
Adam Goodman, a security researcher in the Duo Labs group at Duo Security, is credited with discovering the vulnerability.
