Two critical zero-day vulnerabilities have been discovered in the world’s 2nd most popular database management software MySQL that could allow an attacker to take full control over the database.

Researcher Dawid Golunski discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016-6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files. The flaw can be triggered to fully compromise the DBMS by executing arbitrary code with root privileges on the server running the vulnerable MySQL instance.

php-mysql-select

The CVE-2016-6662 vulnerability can be exploited if the attacker has an authenticated connection to the MySQL service, for example in shared hosting environments, by triggering an SQL injection flaw, or through a common type of vulnerability in web services leveraging the popular DBMS.

Golunski further went on to publish details and a proof-of-concept exploit code for CVE-2016-6662 after informing Oracle of both issues, along with vendors of MariaDB and PerconaDB.

Exploitation Vector

The above flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network connection or web interfaces like phpMyAdmin).

“A successful exploitation [of CVE-2016-6662] could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running,” Golunski explained in an advisory published today.

This could result in complete compromise of the server running the affected MySQL version.

mysql

 

No MySQL Patch Available Yet

Golunski reported the zero-day flaws to Oracle on July 29 and other affected vendors on July 29.

While Oracle acknowledged and triaged the report, scheduling the next Oracle CPUs for October 18, 2016, MariaDB and PerconaDB patched their versions of the database software before the end of August.

Since more than 40 days have passed and the two vendors released the patches to fix the issues, Golunski said he decided to go public with the details of the zero-days.

Temporary Mitigation:

Until Oracle fixes the problem in its next CPU, you can implement some temporary mitigations, proposed by the researcher, for protecting your servers.

“As temporary mitigation’s, users should ensure that no MySQL config files are owned by the mysql user, and create root-owned dummy my.cnf files that are not in use,” Golunski wrote.

But remember, the above mitigation’s are just workarounds, so you are advised to apply vendor patches as soon as they become available.

Gurubaran is a PKI Security Engineer. Certified Ethical Hacker, Penetration Tester, Security blogger, Co-Founder & Author of GBHackers On Security.