A Critical MySQL Zero-Day Vulnerability Uncovered!
As you know MySQL, is the most popular Open Source SQL database management system, is developed, distributed, and supported by Oracle Corporation.
Unfortunately, two critical MySQL zero-day vulnerabilities have been discovered in the world’s 2nd most popular database management software MySQL that could allow an attacker to take full control over a database.
Do you know what is “A zero day vulnerability” refers to ?
As a MYSQL Security DBA, let me explain, a zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions. However, seems that MariaDB and Percona DB had fixed the vulnerabilities, but Oracle had not published anything so far.
The vulnerability “CVE-2016-6662″ can be exploited by hackers to inject malicious settings into MySQL configuration files (my.cnf/my.ini) .
The researcher also warned that the vulnerability could be exploited even if SELinux or AppArmor Linux kernel security module is enabled with default active policies for MySQL service on the major Linux distributions.
As you probably know, a lot of companies including Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time and money powering their high-volume Web sites, business-critical systems and packaged software.”
How attackers exploit “A MySQL zero day vulnerability”?
Attackers can exploit your MySQL server vulnerability after gaining access to the database server in one of these two ways :
1. By obtaining an authenticated access to your MySQL database
Database user login details can be stolen in many ways by attackers. Accounts with easy and insecure passwords can be accessed via network connection or web interfaces such as phpMyAdmin.
2. Attack via SQL Injections directly to your MySQL database
Web applications such as PHP and ASP (Windows) are vulnerable to SQL injections. It is a code injection technique in which SQL statements are inserted into the code and database information is leaked by the attackers.
Once an access is gained to a database user account, attackers can execute remote code in the server. This code allows them to gain root access after a service restart.
This is known as privilege escalation and once root privilege is gained, attackers can do just about anything in your servers. That’s why this exploit is considered a critical one.
By abusing MySQL logging functions, attackers can bypass security restrictions to do the following hacks:
1. Many servers that are not secured properly, may have config files owned by ‘mysql’ user instead of root user. Hackers can inject malicious settings into such configuration files.
2. These Hackers can even create entirely new configuration files with malignant parameters in some directories such as the MySQL data folder, which is writable by the ‘mysql’ user.
3. Privilege escalation renders attackers with MySQL admin privilege and thus enables them to modify the config files, even if the initially accessed account has only basic file permissions.
How To Solve this Zero-Day Exploits That can Hack Your database?
Until Oracle finds a solution and fixes the problem in its next releases, the researcher suggests some temporary mitigations for keeping the servers safe.
“As temporary mitigations, users should ensure that no MySQL config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. ”
What does that mean? It means that you have to make sure that the owner of “my.cnf/my.ini (Windows)” is either “root” or “administrator”
While these temporary mitigations are just workarounds, Golunski suggests that as soon as the vendor patches are available, the users should apply them.
Here is what you can do:
- Examine the server and ensure that mysql config files are owned by root user and not ‘mysql’ user.
- Always scan your MySQL Server for vulnerabilities.
- Also, it is advisable to keep a copy of this my.cnf in MySQL folders to prevent hackers from creating new config files.
- To change the ownership of MySQL config file in a Linux server, use the command:
chown root.root /etc/my.cnf
Until Oracle fixes the problem in its next CPU, you can implement some temporary mitigations, proposed by the researcher, for protecting your servers.
While zero-day vulnerabilities cannot be prevented, acting immediately to apply the fix and patch is crucial to avoid a catastrophic business downtime.