MySQL exposes Riddle vulnerability that can cause username and password leakage

The Riddle vulnerability targeting MySQL versions 5.5 and 5.6 can leak username and password information through a man-in-the-middle attack. Please update to version 5.7 as soon as possible.

The Riddle vulnerability exists in the DBMS Oracle MySQL, and attackers can use it to steal usernames and passwords through man-in-the-middle authentication.

"Riddle is a high severity security vulnerability found in the Oracle MySQL 5.5 and 5.6 client database. It allows an attacker to use Riddle in a man-in-the-middle position to compromise an SSL-configured connection between a MySQL client and server," the vulnerability description reads. “This vulnerability is a very dangerous one because firstly it affects MySQL – a very popular SQL database – and secondly it affects SSL connections, which by definition are supposed to be secure.”

The Riddle vulnerability, tracked as CVE-2017-3305, allows attackers to capture data, including usernames and passwords, when MySQL 5.5 and 5.6 send them to the server.

The security updates for versions 5.5.49 and 5.6.30 did not completely fix the vulnerability. Experts noted that MariaDB systems after version 5.7 are not affected by the vulnerability.

Security researcher Pali Rohár said that the cause of the Riddle vulnerability was the BACKRONYM vulnerability that previously existed in the MySQL database and had not been fixed. The Backronym vulnerability can be used to leak passwords in a man-in-the-middle attack, even if the traffic is encrypted.

"The security updates for the stable versions of MySQL 5.5.49 and 5.6.30 added validation of security parameters after the authentication process is complete." "Since the action is taken after the authentication is complete, a Riddle man in the middle attack combined with SSL downgrade allows an attacker to steal the login data to authenticate and log into the MySQL server," Rohár wrote.

"Interestingly, when the MySQL server refuses to authenticate a user, the MySQL client does not report any SSL-related errors, but instead reports unencrypted error messages sent by the server. These error messages are controlled by the man-in-the-middle attacker."

Experts recommend updating client software to MySQL 5.7 or MariaDB as security updates for these applications are working properly.

PoC

The author provides a PoC script written in Perl. It will open the riddle on the local port 3307, and the MySQL server will run on localhost:3306.

Run riddle on the middleman server:

$ perl riddle.pl

Connect the MySQL client to the riddle:

$ mysql --ssl-mode=REQUIRED -h 127.0.0.1 -P 3307 -u user -p password

If you provide the correct username and password, riddle will connect to the server, execute the SQL statement and output:

SELECT COUNT(*) FROM information_schema.TABLES --> 121

The MySQL client will receive an error message sent by riddle:

ERROR 1045 (28000): Access denied: MITM attack

Oracle fails to fix vulnerabilities in a timely manner

The Riddle vulnerability was discovered in February, but it still affects Oracle MySql software.

“If you are not an Oracle customer, there is no use reporting vulnerabilities to them (even security-related ones). They can completely ignore any report and will be happy if no one knows about it, so they don’t have to fix it,” Rohár explained.

Summarize

The above is the solution I introduced to you for the MySQL Riddle vulnerability that can cause username and password leakage. I hope it will be helpful to you. If you have any questions, please leave me a message and I will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!