MySQL, MariaDB, and Percona pwned.
Dangerous since-patched vulnerabilities in MySQL, MariaDB, and Percona’s Server and XtraDB Cluster have been found that, when chained, allow attackers in shared environments complete compromise of servers.
The database servers are among the world’s most popular and count all major tech giants as customers including Google and its properties; Facebook; Twitter; eBay; Cisco; Amazon and Netflix, plus scores more.
Legalhackers vulnerability hunter Dawud Golunski (@dawid_golunski) says the race condition bugs (CVE-2016-6663) he found and quietly reported in MySQl, MariaDB, and PerconaDB to enable the tech vendors to fix can be chained to completely compromise servers.
Malicious users with local database select, insert, or create privileges could use the bugs to execute arbitrary code and escalate their accounts to system users.
In that role they would have access to all databases within a server, and could chain two other patched bugs to gain rootshell.
This is particularly risky in shared environments where users are designated access to separate databases.
By exploiting the holes, they gain access to all databases.
External hackers who pop websites using common vulnerabilities and gain a low-privileged footing could also use the bugs to escalate to god mode.
“The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically ‘mysql’),” Golunski says.
“Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server.
“The obtained level of access upon the exploitation, could be chained with the other privilege escalation vulnerabilities (CVE-2016-6662, CVE-2016-6664) to further escalate privileges from mysql user to root user and thus allow attackers to fully compromise the target server.”
The researcher stepped readers through the process by which full compromise can occur on un-patched systems.
Admins should apply patches as soon as possible to avoid the inevitable forthcoming wave of attacks as black hats seek to exploit the vulnerabilities.
Those who cannot immediately apply patches can instead disable symbolic link support within database server configuration by setting my.cnf to symbolic-links = 0.
Golunski has posted a proof-of-concept exploit and will upload a matching video soon. ®