All Products
Search

This Product

    [Vulnerability notice] CVE-2016-5616/6663: Privilege escalation race condition vulnerability in MySQL, MariaDB, and PerconaDB

    Document Center

    [Vulnerability notice] CVE-2016-5616/6663: Privilege escalation race condition vulnerability in MySQL, MariaDB, and PerconaDB

    Last Updated: Apr 08, 2018

    On November 1, 2016, a security researcher Dawid Golunski revealed a race condition vulnerability in MySQL, MariaDB, and PerconaDB databases. The vulnerability allows a local user with a low-privileged account (CREATE, INSERT, and SELECT) to escalate privileges and run arbitrary code as the database system user (typically ‘mysql’). Successful exploitation can allow an attacker to gain full access to the database.

    The attacker can also exploit the CVE-2016-6662 and CVE-2016-6664 vulnerabilities to further escalate privileges to the root user, causing serious security risks.

    See the following for more information about the vulnerability.

    CVE identifier

    CVE-2016-5616, CVE-2016-6663

    Vulnerability name

    Privilege escalation race condition vulnerability in MySQL, MariaDB, and PerconaDB

    Vulnerability rating

    High

    Vulnerability description

    The vulnerability allows a local user with a low-privileged account (CREATE, INSERT, and SELECT) to escalate privileges and run arbitrary code as the database system user (typically ‘mysql’). Successful exploitation can allow an attacker to gain full access to the database. The attacker can also exploit the CVE-2016-6662 and CVE-2016-6664 vulnerabilities to further escalate privileges to the root user, resulting in data leakage.

    Condition and method of exploitation

    An attacker can remotely exploit this vulnerability to gain local privileges and then exploit it again to escalate privileges.

    Affected scope

    • MariaDB 5.5 < 5.5.52
    • MariaDB 10.1 < 10.1.18
    • MariaDB 10.0 < 10.0.28
    • MySQL 5.5 <= 5.5.51
    • MySQL 5.6 <= 5.6.32
    • MySQL 5.7 <= 5.7.14
    • Percona Server 5.5 < 5.5.51-38.2
    • Percona Server 5.6 < 5.6.32-78-1
    • Percona Server 5.7 < 5.7.14-8
    • Percona XtraDB Cluster 5.6 < 5.6.32-25.17
    • Percona XtraDB Cluster 5.7 < 5.7.14-26.17
    • Percona XtraDB Cluster 5.5 < 5.5.41-37.0

    How to fix or mitigate

    • Workaround: Add symbolic-links = 0 in my.cnf and then restart the MySQL service.

    • Do not expose high-risk ports, such as database and operating system management ports, to the Internet.

    • Pay attention to security vulnerabilities in application code, and install official patches in a timely manner to fix vulnerabilities and prevent system intrusion.

    • Upgrade your database to the latest official version.

    Reference

    [1]. http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
    [2]. http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
    [3]. http://legalhackers.com

    Free Trial Free Trial