Polish safety researcher Dawid Golunski has discovered 2 zero-days, CVE-2016-6662 together with CVE-2016-6663, that behave upon all currently supported MySQL versions every bit good every bit its forked such every bit MariaDB together with PerconaDB.
Golunski farther went on to give away details together with a proof-of-concept exploit code for CVE-2016-6662 afterward informing Oracle of both issues, along amongst vendors of MariaDB together with PerconaDB.
Both MariaDB together with PerconaDB had fixed the vulnerabilities, but Oracle had not.
The vulnerability (CVE-2016-6662) tin hold upward exploited past times hackers to inject malicious settings into MySQL configuration files or practise their ain malicious ones.
Exploitation Vector
The inwards a higher house flaw could hold upward exploited either via SQL Injection or past times hackers amongst authenticated access to MySQL database (via a network connectedness or spider web interfaces similar phpMyAdmin).
"A successful exploitation [of CVE-2016-6662] could let attackers to execute arbitrary code amongst origin privileges which would together with then let them to fully compromise the server on which an affected version of MySQL is running," Golunski explained inwards an advisory published today.This could effect inwards consummate compromise of the server running the affected MySQL version.
The researcher likewise warned that the vulnerability could hold upward exploited fifty-fifty if SELinux or AppArmor Linux substance safety module is enabled amongst default active policies for MySQL service on the major Linux distributions.
The flaw genuinely resides inwards the mysqld_safe script that is used every bit a wrapper past times many MySQL default packages or installations to showtime the MySQL service process.
The mysqld_safe wrapper script is executed every bit root, together with the brain mysqld procedure drops its privilege degree to MySQL user, Golunski examined.
"If an assailant managed to inject a path to their malicious library inside the config, they would hold upward able to preload an arbitrary library together with therefore execute arbitrary code amongst origin privileges when MySQL service is restarted (manually, via a organisation update, packet update, organisation reboot, etc.)"The researcher volition presently free details together with total exploit code for CVE-2016-6663, the flaw that allows low-privileged attackers to brand exploitation trivial.
No MySQL Patch Available Yet
While Oracle acknowledged together with triaged the report, scheduling the side past times side Oracle CPUs for Oct 18, 2016, MariaDB together with PerconaDB patched their versions of the database software earlier the terminate of August.
Since to a greater extent than than forty days stimulate got passed together with the 2 vendors released the patches to cook the issues, Golunski said he decided to drib dead populace amongst the details of the zero-days.
Temporary Mitigation:
Until Oracle fixes the employment inwards its side past times side CPU, yous tin implement roughly temporary mitigations, proposed past times the researcher, for protecting your servers.
"As temporary mitigations, users should ensure that no MySQL config files are owned past times the mysql user, together with practise root-owned dummy my.cnf files that are non inwards use," Golunski wrote.But remember, the inwards a higher house mitigations are only workarounds, so yous are advised to apply vendor patches every bit presently every bit they drib dead available.
