A security researcher says he has discovered multiple, severe, remotely exploitable vulnerabilities in the widely used open source database MySQL, and has released details and limited proof-of-concept code for one flaw.
The flaws also affect MySQL forks MariaDB and PerconaDB.
Dawid Golunski, of Legal Hackers, said he was releasing details of one critical vulnerability and a limited PoC as more than 40 days had passed since he reported the details to Oracle, the owner of MySQL. Reports were also sent to MariaDB and PerconaDB.
He said he had reported the flaw on 29 July and it was triaged by Oracle's security team. But while MariaDB and PerconaDB had issued patches by 30 August, no patch had been forthcoming from Oracle.
{loadposition sam08}The vulnerability on which he focused his advisory allows attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.
"It affects MySQL server in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers," Golunski wrote.
"Both the authenticated access to MySQL database (via network connection or Web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors."
He said successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL was running.
"The vulnerability can be exploited even if security modules SELinux and AppArmor are installed with default active policies for MySQL service on major Linux distributions," he wrote.
Golunski said he had decided to start releasing details and a limited PoC to inform users of the risks, because likely attackers would learn of the existence of the flaw from the patches released by the other two vendors.
"The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30 August. During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers," he wrote in his advisory.
Golunski said as temporary mitigation, users should ensure that no MySQL configuration files were owned by the MySQL user, and they should create root-owned dummy my.cnf files that were not in use.
"These are by no means a complete solution and users should apply official vendor patches as soon as they become available," he cautioned.