Quick Summary
MySQL Database Accessible from Public Network is a critical misconfiguration where the MySQL database service is exposed to the internet or untrusted networks. Public exposure of MySQL significantly increases the risk of brute-force attacks, unauthorized data access, data exfiltration, and full database compromise.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | Database Exposure / Insecure Service Configuration |
| CWE ID | CWE-284 – Improper Access Control |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 9.0 (Critical) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | External Network |
Affected Asset / Environment
- Service: MySQL
- Default Port: 3306
- Platforms: Linux / Windows Servers, Cloud Databases
- Testing Method: External / Black-box Assessment
- Tools Used: Nmap, mysql client, Hydra
Description
The assessor observed that the MySQL database service is accessible from a public or untrusted network. During testing, port 3306 was reachable externally, and connection attempts were accepted by the MySQL server.
MySQL is typically intended to be accessible only from application servers or trusted internal networks. Public exposure allows attackers to attempt authentication attacks, enumerate database versions, and potentially access sensitive data.
If weak credentials or misconfigured access controls exist, attackers may gain full access to the database and extract or manipulate stored information.
Root Cause
The issue occurs due to improper network configuration or insecure MySQL service setup.
Common root causes include:
- MySQL bound to 0.0.0.0 (all interfaces)
- Cloud security group allowing 0.0.0.0/0 on port 3306
- Firewall rules not restricting access
- Lack of network segmentation
- Default configuration deployed in production
Business Impact
Exploitation of this vulnerability may allow attackers to access confidential application data, including user credentials, personal information, financial records, and proprietary business data.
Unauthorized modification or deletion of database records may cause application downtime, data integrity issues, and regulatory violations.
Publicly exposed databases are frequently targeted by automated scanning tools and ransomware campaigns.
Technical Impact
An attacker can:
- Enumerate MySQL version information
- Attempt brute-force authentication
- Access or dump databases
- Modify or delete records
- Create new privileged database users
- Potentially escalate to system compromise depending on configuration
Exposure significantly increases risk of data breach and service disruption.
Proof of Concept (PoC)
Step1: Identify MySQL Service
nmap -sV -p 3306 <target-ip>
If port 3306 is open and identified as MySQL, exposure is confirmed.
Step2: Attempt Direct Connection
mysql -h <target-ip> -u root -p
If the server prompts for password from an external network, it is publicly accessible.
Step3: Enumerate Version Information
nmap -p 3306 --script mysql-info <target-ip>
If version details are disclosed, reconnaissance is possible.
Step4: Test Brute-force Exposure (Authorized Testing Only)
hydra -L users.txt -P passwords.txt mysql://<target-ip>
If login attempts are processed, authentication attack surface exists.
Exploitation Prerequisites
- Network access to port 3306
- MySQL service running
- Public network exposure
- Weak credentials (in exploitable cases)
Remediation
It is recommended that MySQL databases not be exposed to public networks.
Recommended actions:
- Bind MySQL to localhost or internal IP address
- Restrict port 3306 via firewall or security groups
- Enforce strong authentication credentials
- Implement network segmentation
- Enable database logging and monitoring
- Use VPN or bastion host for remote administration
After implementing changes, verify that external connections are blocked.
Detection and Monitoring
- Monitor MySQL authentication logs
- Alert on repeated failed login attempts
- Conduct periodic external port scans
- Review cloud security group configurations