A Polish security researcher, Dawid Golunski, has discovered two zero day vulnerabilities, the CVE-2016-6662 and CVE-2016-6663, which are said to affect the MySQL versions. The flaws are said to allow hackers to gain full control of the database that they are attacking. Both of the vulnerabilities were reported to the company Oracle and also other database vendors on the market such as MariaDB, PerconaDB. The other vendors were notified of the problem because they have used the MySQL injection before in their databases.
MariaDB and PerconaDB have taken measures to fix their vulnerabilities, Oracle has not made the effort yet. However, the fact that Oracle has not fixed the problem yet has not stopped the researcher from providing a proof of concept publish on the exploit code for the CVE-2016-6662. Oracle last released their Critical Patch Update on July 19, 2016 which means they have not covered this one yet.
Their next scheduled CPU update is on for the 18th of October 2016. The company has been running a strict security update release schedule which takes place after every three months. Golunski said that he had reported the issue to Oracle on July 29, 2016 which means it’s not fixed yet. The Oracle security team acknowledged receiving the report and triaging it.
PerconaDB and MariaDB patched their own vulnerabilities by the end of the 30th of August. During the patching process, the patches first went into a public repository and the fixed security issues were also reported which led to the announcement of the patches and the new releases. 40 days had passed since the day Golunski reported the flaws to the vendors, before he made a decision to reveal the vulnerabilities to the various users so that they could understand the risks they were facing.
The CVE-2016-6662 gives attackers the ability to add a custom database into the setting of the MySQL configuration files from remote and local positions. The MySQL servers which would be running in the default config would be mostly affected by the issue, and will activate after the first database restart which follows the exploitation step.
The database servers are usually restarted during the update package when the system reboots. Golunski also noted that attackers could get authentic access from various network connections which they would then use to control the SQL injections which would deliver the exploitation code. He also said they could make use of the database interfaces such as the phpMyAdmin.
The CVE-2016-6662 gives attackers the ability to make changes to the my.conf file which means they can load third party codes which can then be carried out with their root privileges. The other vulnerability, the CVE-2016-6663, which was discovered by Golunski was not made public yet. However it also leads to the remote code execution under root users.
Oracle will surely take time to fix the issue, therefore users are expected to find solutions and be able to fix the problems which they might encounter. As temporary measures, Golunski suggests that users ensure that MySQL config files are owned by the mysql user.
Golunski also said that once the vendor patches are available, users should endeavour to apply them.