There are multiple severe vulnerabilities affecting the open source database MySQL.
Attackers can leverage one of the vulnerabilities to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service restarts. This could lead to total compromise of the server running the vulnerable MySQL version.
“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,” said researcher Dawid Golunski who discovered the vulnerabilities.
“Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors,” he said.
Oracle – which acquired the software company that developed MySQL in 2010 – has yet to issue a fix for this and other issues. Golunski reported them to Oracle and the vendors of other affected forks in late July, and Percona and MariaDB vendors have already pushed out new releases that plugged CVE-2016-6662.
As these new releases came out with details about the vulnerability, and Oracle’s next Critical Patch Update should come out October 18, Golunski decided to start disclosing the vulnerabilities so users can do everything in their power to minimize risk of exploitation.
The advisory also contains a limited PoC exploit. A full exploit and details about CVE-2016-6663, the flaw that allows low-privileged attackers to effect the same attack, will be published soon.
“As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,” Golunski said.