All ready for that Easter holiday? Here's a mild MySQL security bug

A programming blunder has been uncovered in Oracle's MySQL that can potentially leak usernames and passwords to man-in-the-middle eavesdroppers.

Known as "The Riddle," the flaw potentially allows a miscreant to intercept and obtain login credentials sent from MySQL clients 5.5 and 5.6 to servers. Apparently, a fix introduced in versions 5.5.49 and 5.6.30 isn't enough to fully address the design flaw. Versions 5.7 and later, as well as MariaDB systems, are not vulnerable.

According to security researcher Pali Rohár, the CVE-2017-3305 cockup stems from a botched attempt to patch the Backronym vulnerability in MySQL, which leaves passwords viewable to attackers who have man-in-the-middle access to network traffic – even if the connection is supposedly secured and encrypted using SSL.

"Security update for the stable MySQL 5.5.49 and 5.6.30 versions consisted of adding a verification of security parameters after the authentication process was finished. Since it is done after the authentication, man riddle in the middle attack together with SSL-downgrade attack can be used by the attacker to steal login data for immediate authentication and log into the MySQL server," writes Rohár.

"Ridiculous part is that MySQL client doesn't report any SSL-related error when MySQL server declines to authenticate a user and instead reports unencrypted error message send by the server. Furthermore, the error message is controlled by the attacker, when the riddle in the middle attack is active."

Rohár says the best way to protect against an attack is to update your client software to MySQL 5.7 or MariaDB, which has a working patch for the issue.

The researcher notes that the flaw itself was discovered in early February, but claims Oracle has been unwilling to work on a way to responsibly disclose and patch the vulnerability.

"Reporting bugs to Oracle is useless (even those which are security related) if you are not an Oracle customer. They can perfectly ignore any reports and they would be very happy if nobody knew about it so they don't have to fix the bugs," writes Rohár.

"It looks like immediate public disclosure is the best responsible solution for the users, as it is the only way to protect them and let them know immediately what should be done if they are affected."

Oracle was not available for immediate comment. ®