14 DAY TRIAL // Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions and allow an attacker to take full control over the database.
Golunski says he informed Oracle of both issues, along with other database vendors that forked the MySQL engine in the past such as MariaDB and PerconaDB.
Today the researcher took the extreme measure of publishing proof-of-concept exploit code for CVE-2016-6662 after both MariaDB and PerconaDB fixed the vulnerabilities and Oracle did not.
Oracle most likely to patch issues in October's CPU
Oracle is on a strict security update release schedule that comes out once every three months. The last Oracle Critical Patch Update (CPU) came out on July 19.
Golunski says he reported the issue to Oracle on July 29. He also mentions that Oracle's security team acknowledged and triaged the report. The next Oracle CPU is scheduled for October 18, 2016.
"The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August," Golunski explained. "During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers."
"As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor's next CPU update that only happens at the end of October," the researcher further explained.
Zero-day allows complete database takeover, affects MySQL versions
CVE-2016-6662 allows an attacker, from a remote or local position, to inject custom database settings into MySQL configuration files (my.conf).
The issue only affects MySQL servers running in their default config, and is triggered after the first database restart following the exploitation step. Database servers are often restarted during system updates, package updates, or system reboots.
Golunski says that an attacker can leverage SQL injections to deliver the exploitation code or use authenticated access from network connections or database interfaces such as phpMyAdmin.
Zero-day leads to RCE via root user
CVE-2016-6662 allows attackers to alter the my.conf file and load third-party code that will be executed with root privileges.
The second vulnerability Golunski discovered, which he didn't make public, is CVE-2016-6663. This is a variation of CVE-2016-6662, also leading to remote code execution under a root user.
The researcher proposes some temporary mitigations for protecting servers until Oracle fixes the problem in its next CPU.
“ As temporary mitigations, users should ensure that no MySQL config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. ”
Golunski stresses that these are just workarounds and that users should apply vendor patches as soon as they become available.