After Apple, cybersecurity researchers have now uncovered two zero-day vulnerabilities in the biggest open-source database management application, MySQL. These vulnerabilities can allow hackers to inject malicious code and take over your databases. This vulnerability could prove fatal for most businesses whose data is connected and stored in one or the other databases.
The zero-day vulnerabilities, CVE-2016-6662 and CVE-2016-6663, uncovered by independent Polish security researcher Dawid Golunski affects all of the currently supported versions of the software. It not only affects the default configuarations of MySQL, but other database vendors, MariaDB and PerconaDB, who’ve used MySQL engine in the past as well.
The vulnerabilties can be exploited by both local and remote attackers, but they do require authentication access to the MySQL database via a direct network connection or web interfaces such as phpMyAdmin.
The CVE-2016-6662 vulnerabilty is a privilege escalation flaw which puts the web apps at critical risk by making it possible to execute a successful SQL injection. The attackers can then use this backdoor to inject malicious settings into MySQL configuration files, my.cnf, and gain root priviliges to the database. This gives them the power to completely compromise a server.
Golunski expands his theory to say that, only MySQL servers that are running default configurations are affected by the problem, and activate after the first database restarts after the exploitation step. The data servers are rebooted in such a case, and the attacker gains access to it. Thus, one should change their settings and setup custom login credentials right away.
He also put forth a limited part of a proof-of-concept (PoC) code to demonstrate his claims, and give Oracle to act steadily before he outs the complete PoC code to the public. The huge security(which some people believe, it isn’t) was first reported to software maker Oracle and other vendors on 29th July and was accepted by the security team.
But, the third-party vendors have already patched the aforementioned vulnerabilities by the beginning of this month. While, the software provider, Oracle has reportedly failed to patch the security hole in the 40 days since the crucial exploitable vulnerability has been exposed.
As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October,
adds Golunski in the blogpost.
Until Oracle provides a complete fix to the vulnerabilities, he has also suggested some temporary mitigations for keeping the servers safe. Though these fixes will just be temporary, one should apply the update patches once they’re made available.
As temporary mitigations, users should ensure that no MySQL config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use
There is still no concrete word from Oracle, but we expect the company to patch the duo of zero-day vulnerabilities in the security patch set to release next month, on October 18th.