On November 1, 2016, a security researcher Dawid Golunski revealed a race condition vulnerability in MySQL, MariaDB, and PerconaDB databases. The vulnerability allows a local user with a low-privileged account (CREATE, INSERT, and SELECT) to escalate privileges and run arbitrary code as the database system user (typically ‘mysql’). Successful exploitation can allow an attacker to gain full access to the database.
The attacker can also exploit the CVE-2016-6662 and CVE-2016-6664 vulnerabilities to further escalate privileges to the root user, causing serious security risks.
See the following for more information about the vulnerability.
CVE identifier
CVE-2016-5616, CVE-2016-6663
Vulnerability name
Privilege escalation race condition vulnerability in MySQL, MariaDB, and PerconaDB
Vulnerability rating
High
Vulnerability description
The vulnerability allows a local user with a low-privileged account (CREATE, INSERT, and SELECT) to escalate privileges and run arbitrary code as the database system user (typically ‘mysql’). Successful exploitation can allow an attacker to gain full access to the database. The attacker can also exploit the CVE-2016-6662 and CVE-2016-6664 vulnerabilities to further escalate privileges to the root user, resulting in data leakage.
Condition and method of exploitation
An attacker can remotely exploit this vulnerability to gain local privileges and then exploit it again to escalate privileges.
Affected scope
- MariaDB 5.5 < 5.5.52
- MariaDB 10.1 < 10.1.18
- MariaDB 10.0 < 10.0.28
- MySQL 5.5 <= 5.5.51
- MySQL 5.6 <= 5.6.32
- MySQL 5.7 <= 5.7.14
- Percona Server 5.5 < 5.5.51-38.2
- Percona Server 5.6 < 5.6.32-78-1
- Percona Server 5.7 < 5.7.14-8
- Percona XtraDB Cluster 5.6 < 5.6.32-25.17
- Percona XtraDB Cluster 5.7 < 5.7.14-26.17
- Percona XtraDB Cluster 5.5 < 5.5.41-37.0
How to fix or mitigate
Workaround: Add
symbolic-links = 0
inmy.cnf
and then restart the MySQL service.Do not expose high-risk ports, such as database and operating system management ports, to the Internet.
Pay attention to security vulnerabilities in application code, and install official patches in a timely manner to fix vulnerabilities and prevent system intrusion.
Upgrade your database to the latest official version.
Reference
[1]. http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
[2]. http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
[3]. http://legalhackers.com