A critical zero-day flaw, which affects the popular database management system (RDBMS) MySQL, has been uncovered by the security researcher Dawid Golunski.
The vulnerability threatens all the default configuration of all MySQL versions including 5.5, 5.6 and 5.7. Golunski decided to expose his discovery due to the fact Oracle didn’t release a patch even though they have known of the issue for 40 days.
In the MySQL DBMS, the researcher found a couple of security bugs, including the CVE-2016-6662 vulnerability which can be leveraged by crooks to inject malicious settings into my.cnf config files. The flaw can be set off to completely compromise the DBMS with the execution of an arbitrary code with root privileges on the server running the vulnerable MySQL instance.
If the remote attacker has an authenticated connection to the MySQL service, like in shared hosting environments, by triggering an SQL injection flaw, they could easily exploit the CVE-2016-6662 vulnerability. The exploitation could also happen through a common type of vulnerability in web services, leveraging the popular DBMS.
“This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.” – Golunski wrote in his advisory – “The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”
A Proof-Of-Concept MySQL exploit is also included in the advisory. It shows how the bug can be triggered to Remote execute code with root privileges. Due to preventive measures, more detailed information was purposely left out.
Golunski found a second vulnerability as well, called CVE-2016-6663. He explained that abusing it, even non-professional attackers would be able to exploit the MySQL zero-day.
All MySQL versions, including 5.5, 5.6 and 5.7 are at risk of MySQL zero-day flaw. Moreover, before being patched in the end of August, the vulnerability also managed to affect the PersonaDB and MariaDB databases.
However, since the by PerconaDB and MariaDB patches were made available in public repositories, being at risk of potential exploitation by crooks, Golunski decided to disclose the MySQL zero-day flaw.
Moreover, to soften the threat until Oracle releases patches, the researchers suggested some temporary workarounds.
“As temporary mitigations, users should ensure that no MySQL config files are owned by MySQL users, and create root-owned dummy my.cnf files that are not in use.” – said the expert – “These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”