MySQL 0-day could lead to total system compromise

Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona).

CVE-2016-6662

One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted. This could lead to total compromise of the server running the vulnerable MySQL version.

“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,” Golunski has explained in an advisory published on Monday.

“Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”

So far, Oracle – who acquired the software company that developed MySQL in 2010 – has yet to push out a fix for this and other issues. Golunski reported them to Oracle and the vendors of other affected forks in late July, and Percona and MariaDB vendors have already pushed out new releases that plugged CVE-2016-6662.

As these new releases were accompanied by details about the vulnerability, and Oracle’s next Critical Patch Update is scheduled for 18 October 2016, Golunski has decided to start disclosing the vulnerabilities he found, so that users can do everything in their power to minimize risk of exploitation until patches are made available.

The advisory also contains a limited PoC exploit. A full exploit and details about CVE-2016-6663, the flaw that allows low-privileged attackers to effect the same attack, will be published soon.

“As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,” Golunski advised, but stressed that applying official vendor patches as soon as they become available will be the ultimate solution for this issue.

Don't miss