CVE-2016-6662 – Researcher disclosed a critical MySQL Zero-Day

A security researcher disclosed a critical MySQL zero-day affecting all the default configuration of all MySQL versions including 5.5, 5.6 and 5.7.

The security researcher Dawid Golunski has disclosed a critical zero-day vulnerability affecting the popular database management system (RDBMS) MySQL. The researcher decided to disclose the critical flaw because Oracle failed to release a patch after more than 40 days the researcher reported the zero-day.

Researcher Dawid Golunski discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016-6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files. The flaw can be triggered to fully compromise the DBMS by executing arbitrary code with root privileges on the server running the vulnerable MySQL instance.

The CVE-2016-6662 vulnerability can be exploited if the attacker has an authenticated connection to the MySQL service, for example in shared hosting environments, by triggering an SQL injection flaw, or through a common type of vulnerability in web services leveraging the popular DBMS.

“This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.” reads the Golunski’s advisory

“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”

The advisory also includes a Proof-Of-Concept MySQL exploit which demonstrates how to trigger the flaw to Remote execute code with root privileges. The researcher has omitted some parts to prevent widespread abuse.

The researcher also disclosed a second vulnerability, tracked as CVE-2016-6663, that could allow the exploitation of the MySQL zero-day even by low-privileged attackers.

The attack works against the default configuration of all MySQL versions, including 5.5, 5.6 and 5.7. The MySQL zero-day vulnerability also affected the MariaDB and PerconaDB databases that were patched by their vendors by the end of 30th of August.

Golunski disclosed the MySQL zero-day because the patches released by PerconaDB and MariaDB developers were made available in public repositories, potentially allowing threat actors to exploit them in the wild.

Only we can do it sit and wait for Oracle releases patches. The researchers also suggested some temporary workarounds to mitigate the threat.

“As temporary mitigations, users should ensure that no MySQL config files are owned by MySQL users, and create root-owned dummy my.cnf files that are not in use,” explained the expert. “These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.