MySQL Flaw Allows Hackers To Steal Data, Even In Secure Connections

Security researcher Adam Goodman has found a critical flaw in Oracle MySQL 5.7.2 and lower that allows an attacker to act as proxy between client and server (Man-In-the-Middle-Attack) to steal information in plain text, even in secure connections.

Flaw: While MySQL servers can be configured to require an encrypted connection, there is no option to enforce the same on the client.

So an attacker can exploit this flaw via man-in-the-middle attacks against the affected servers. It should be noted that an SSL Stripping attack can also force the client to use unencryped connections (because the SSL cannot be made mandatory in clients).

The researcher dubbed it “BACKRONYM” (Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL).

A MySQL library called “libmysqlclient” is  responsible for this flaw.

Goodman said in a blog post, “The good news is that the MySQL team has already realized this was a problem, and implemented a fix. Like, over a year ago. The bad news? The fix was only applied to MySQL 5.7.3 and later; 5.7.x is not yet even a GA release! (Also, the fix was applied to version 6.1.3 of the standalone libmysqlclient distribution). The worse news? In many cases, the “fix” is not enabled by default! So, while we haven’t collected any real data on the subject, we’re pretty confident that the vast majority of libmysqlclient users are affected by this issue.“

How To Protect ?

Use MySQL 5.7.3 or above. You can also configure the “REQUIRE X509 option,” which validates the identity of the recipient based on its SSL/TLS certificate.