Two zero-day vulnerabilities, CVE-2016-6662 and CVE-2016-6663 that affect all currently supported MySQL versions has been discovered by Polish security researcher, Dawid Golunski. These vulnerabilities allow an attacker to take complete control over the database. While MariaDB and PerconaDB have fixed the vulnerabilities and Oracle has not, the researcher today has gone ahead and published the proof-of-concept exploit code for CVE-2016-6662.
The last Critical Patch Update (CPU) released by Oracle was on July 19, 2016. Oracle is on a strict security update release schedule that rolls out once every three months and the next Oracle CPU update is scheduled for October 18, 2016.
According to Golunski:
The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August. During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers.
As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October.
CVE-2016-6662 allows an attacker, from a remote or local position, to add custom database settings into MySQL configuration files (my.conf). Only MySQL servers that are running in their default config are affected by the problem, and activates after the first database restart following the exploitation step.
Golunski says that an attacker can use authentic access from network connections or database interfaces such as phpMyAdmin, or control SQL injections to deliver the exploitation code.
CVE-2016-6662 allows attackers to make changes to the my.conf file and load third-party code that will be carried out with root privileges.
Golunski said that the issue lies with a script called mysqld_safe which is used as a wrapper by MySQL default packages to start the MySQL service process. The wrapper executes as root, and the main mysqld process lowers its privilege level to mysql user, the researcher said. Golunski examined a particular function in the wrapper that can be used to pre-load a shared library before starting the server.
CVE-2016-6663 was also discovered by Golunski but not made public by him. CVE-2016-6663 also leads to remote code execution under a root user.
The undisclosed vulnerability makes it easy for certain attackers to create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement.
Until the zero-day exploits are patched by Oracle, Golunski recommends the following temporary mitigation:
As temporary mitigations, users should ensure that no MySQL config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use.