Researcher publishes limited proof-of-concept exploitation code online
Two zero-days vulnerabilities, CVE-2016-6662 and CVE-2016-6663 that affect all currently supported MySQL versions has been discovered by Polish security researcher, Dawid Golunski. These vulnerabilities allow an attacker to take complete control over the database.
Both the vulnerabilities have been reported to Oracle, as well as other database vendors such as MariaDB and PerconaDB who have used the MySQL engine in the past, says Golunski.
While MariaDB and PerconaDB have fixed the vulnerabilities and Oracle has not, the researcher today has gone ahead and published the proof-of-concept exploit code for CVE-2016-6662.
The last Critical Patch Update (CPU) released by Oracle was on July 19, 2016. Oracle is on a strict security update release schedule that rolls out once every three months and the next Oracle CPU update is scheduled for October 18, 2016.
The issue was reported to Oracle on July 29, 2016, Golunski says. Oracle’s security team acknowledged and triaged the report, he added.
“The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August,” Golunski clarified. “During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers.”
“As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October,” the researcher further described.
CVE-2016-6662 allows an attacker, from a remote or local position, to add custom database settings into MySQL configuration files (my.conf).
Only MySQL servers that are running in their default config are affected by the problem, and activates after the first database restart following the exploitation step. Often during system updates, package updates, or system reboots, the database servers are restarted.
Golunski says that an attacker can use authentic access from network connections or database interfaces such as phpMyAdmin, or control SQL injections to deliver the exploitation code.
CVE-2016-6662 allows attackers to make changes to the my.conf file and load third-party code that will be carried out with root privileges.
The second vulnerability, which is CVE-2016-6663 and a variation of CVE-2016-6662, was too discovered by Golunski but not made public by him. CVE-2016-6663 also leads to remote code execution under a root user.
Until Oracle finds a solution and fixes the problem in its next CPU, the researcher suggests some temporary mitigations for keeping the servers safe.
“As temporary mitigations, users should ensure that no MySQL config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. ”
While emphasizing that these temporary mitigations are just workarounds, Golunski suggests that as soon as the vendor patches are available, the users should apply them.