Greetings,
I'd like to inform all of you about a critical root level privilege
escalation vulnerability in MariaDB. This was fixed in version 10.1.21
[1], released on 2017-01-19, and placed into the book at r18201 [3] by
me this morning.
================================================================================
RECOMMENDED ACTION
================================================================================
The BLFS team urges you to update to MariaDB-10.1.21 as soon as
possible. The root level privilege escalation can be done remotely, and
has another advisory from Dawid at LegalHackers at [4], with a Proof of
Concept exploit and video detailing how to use it at [5]. When taken
into action with another vulnerability in a public facing server, this
outcome is more severe than it should be. Root level access on a server
can cause sabotage to data and compromise of the system as a whole. The
video at [5] proves this equally. Update to MariaDB-10.1.21 on all
systems as soon as possible. This vulnerability is a result of a symlink
attack on the log files, via unsafe error handling.
================================================================================
TECHNICAL INFORMATION
================================================================================
Description: MariaDB is an open-source replacement for MySQL, and is
maintained by the same community.
Versions affected: All versions prior to 10.1.21 (including the ones in
BLFS 7.10 stable)
Date Reported: 2017-01-19
BLFS Ticket: #8770 [2] (Resolved at r18201 [3])
Severity: URGENT / CRITICAL
CVE Identifiers: CVE-2016-6664 (critical zero day), CVE-2017-3238,
CVE-2017-3243,
CVE-2017-3244, CVE-2017-3257, CVE-2017-3258,
CVE-2017-3265,
CVE-2017-3291, CVE-2017-3312, CVE-2017-3317, CVE-2017-3318
================================================================================
IMPACTS
================================================================================
- Root Level Privilege Esclataion
- Unknown (2017 CVEs)
================================================================================
VULNERABILITY INFORMATION (CVE Identifiers, Impacts, and Descriptions)
================================================================================
CVE-2016-6664: mysqld_safe in MariaDB before 10.1.21, when using
file-based logging, allows local users with access to the mysql account
to gain root level privileges via a symlink attack on error logs and
possibly other files. Upon compromise, the user can implement a backdoor
and compromise the system. This can be done remotely via a number of
means, and is especially dangerous with vulnerabilities in PHP and
httpd, with one example in the link at [5]. There is also an exploit
that was added to the exploit-db.com at [6].
================================================================================
FURTHER NOTES
================================================================================
- The 2017 CVEs are all marked as reserved at MITRE. A later version
of this advisory may be relased when those are available. Hence, the
2016 CVE is the only one with a description above.
- The Root Level Privilege Escalation does have an exploit (and
video publicly detailing how to use it) available.
================================================================================
LINKS
================================================================================
[1] https://mariadb.com/kb/en/mariadb/mariadb-10121-release-notes/
[2] http://wiki.linuxfromscratch.org/blfs/ticket/8770
[3] http://wiki.linuxfromscratch.org/blfs/changeset/18291
[4]
http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
[5]
https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
[6] https://www.exploit-db.com/exploits/40679/
Thank you,
--
Douglas R. Reno
--LFS/BLFS systemd maintainer
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
