A security researcher disclosed a critical MySQL zero-day affecting all the default configuration of all MySQL versions including 5.5, 5.6 and 5.7.

The security researcher Dawid Golunski has disclosed a critical zero-day vulnerability affecting the popular database management system (RDBMS) MySQL. The researcher decided to disclose the critical flaw because Oracle failed to release a patch after more than 40 days the researcher reported the zero-day.

Researcher Dawid Golunski discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016-6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files. The flaw can be triggered to fully compromise the DBMS by executing arbitrary code with root privileges on the server running the vulnerable MySQL instance.

The CVE-2016-6662 vulnerability can be exploited if the attacker has an authenticated connection to the MySQL service, for example in shared hosting environments, by triggering an SQL injection flaw, or through a common type of vulnerability in web services leveraging the popular DBMS.

“This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.” reads the Golunski’s advisory

“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”

The advisory also includes a Proof-Of-Concept MySQL exploit which demonstrates how to trigger the flaw to Remote execute code with root privileges. The researcher has omitted some parts to prevent widespread abuse.

The researcher also disclosed a second vulnerability, tracked as CVE-2016-6663, that could allow the exploitation of the MySQL zero-day even by low-privileged attackers.

The attack works against the default configuration of all MySQL versions, including 5.5, 5.6 and 5.7. The MySQL zero-day vulnerability also affected the MariaDB and PerconaDB databases that were patched by their vendors by the end of 30th of August.

Golunski disclosed the MySQL zero-day because the patches released by PerconaDB and MariaDB developers were made available in public repositories, potentially allowing threat actors to exploit them in the wild.

Only we can do it sit and wait for Oracle releases patches. The researchers also suggested some temporary workarounds to mitigate the threat.

“As temporary mitigations, users should ensure that no MySQL config files are owned by MySQL users, and create root-owned dummy my.cnf files that are not in use,” explained the expert. “These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”

Pierluigi Paganini