edit-icon download-icon

[Vulnerability notice] CVE-2016-5616/6663: Privilege escalation race condition vulnerability in MySQL, MariaDB, and PerconaDB

Last Updated: Apr 08, 2018

On November 1, 2016, a security researcher Dawid Golunski revealed a race condition vulnerability in MySQL, MariaDB, and PerconaDB databases. The vulnerability allows a local user with a low-privileged account (CREATE, INSERT, and SELECT) to escalate privileges and run arbitrary code as the database system user (typically ‘mysql’). Successful exploitation can allow an attacker to gain full access to the database.

The attacker can also exploit the CVE-2016-6662 and CVE-2016-6664 vulnerabilities to further escalate privileges to the root user, causing serious security risks.

See the following for more information about the vulnerability.


CVE identifier

CVE-2016-5616, CVE-2016-6663

Vulnerability name

Privilege escalation race condition vulnerability in MySQL, MariaDB, and PerconaDB

Vulnerability rating

High

Vulnerability description

The vulnerability allows a local user with a low-privileged account (CREATE, INSERT, and SELECT) to escalate privileges and run arbitrary code as the database system user (typically ‘mysql’). Successful exploitation can allow an attacker to gain full access to the database. The attacker can also exploit the CVE-2016-6662 and CVE-2016-6664 vulnerabilities to further escalate privileges to the root user, resulting in data leakage.

Condition and method of exploitation

An attacker can remotely exploit this vulnerability to gain local privileges and then exploit it again to escalate privileges.

Affected scope

  • MariaDB 5.5 < 5.5.52
  • MariaDB 10.1 < 10.1.18
  • MariaDB 10.0 < 10.0.28
  • MySQL 5.5 <= 5.5.51
  • MySQL 5.6 <= 5.6.32
  • MySQL 5.7 <= 5.7.14
  • Percona Server 5.5 < 5.5.51-38.2
  • Percona Server 5.6 < 5.6.32-78-1
  • Percona Server 5.7 < 5.7.14-8
  • Percona XtraDB Cluster 5.6 < 5.6.32-25.17
  • Percona XtraDB Cluster 5.7 < 5.7.14-26.17
  • Percona XtraDB Cluster 5.5 < 5.5.41-37.0

How to fix or mitigate

  • Workaround: Add symbolic-links = 0 in my.cnf and then restart the MySQL service.

  • Do not expose high-risk ports, such as database and operating system management ports, to the Internet.

  • Pay attention to security vulnerabilities in application code, and install official patches in a timely manner to fix vulnerabilities and prevent system intrusion.

  • Upgrade your database to the latest official version.

Reference

[1]. http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
[2]. http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
[3]. http://legalhackers.com

Thank you! We've received your feedback.