‘MySQL contains vulnerability that allows remote code execution’
Security researcher Dawid Golunksi has found a vulnerability in MySQL, MariaDB and PerconaDB that allows remote code execution if the attacker already has access to the database. The vulnerability is present in the latest version of MySQL, among others.
Patches became available for the MariaDB and PerconaDB forks at the end of August, the researcher writes. The vulnerability with attribute cve-2016-6662 is part of multiple vulnerabilities, Golunksi added. The vulnerability affects all MySQL servers in default configuration, from earliest to current versions across industries, namely 5.7.15, 5.6.33, and 5.5.52. The vulnerability can be exploited remotely and by a local attacker, both via SQL injection and authenticated access, and allows arbitrary code execution as root.
According to the researcher, this is also possible if security measures such as SELinux and AppArmor are in place with standard policies. The vulnerability is that when MySQL is started a script is executed to load certain shared libraries. By injecting a path to a malicious library into the my.cnf configuration file, an attacker could load an arbitrary library and thus execute code on a system. In that case, the configuration file must be owned or writable by the ‘mysql user’.
Golunski has written a proof of concept to back up his claims. He says that with the Oracle version of MySQL pending a patch, administrators can ensure that no configuration files are owned by the user ‘mysql user’. Also, creating a dummy version of unused my.cnf files owned by the root user would be recommended. However, this would not completely solve the problem and patches would still be required to be installed once they are released.
There has been some criticism on Reddit of the vulnerability’s presentation, as it would not be easy to use remotely, making it more of a privilege escalation. An attacker should also have ‘super’ and ‘file’ rights. The researcher substantiates his choice to publish the vulnerability in the absence of a patch, with the fact that the patches of the other parties may have been noticed by malicious parties. It would have been forty days since the leak was reported to Oracle, but a patch is not expected until October.