Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical MySQL Zero-Day Exposes Servers to Attacks

A security researcher has decided to disclose a critical zero-day vulnerability in the MySQL open-source database software after Oracle failed to release a patch in more than 40 days after being informed of its existence.

A security researcher has decided to disclose a critical zero-day vulnerability in the MySQL open-source database software after Oracle failed to release a patch in more than 40 days after being informed of its existence.

Researcher Dawid Golunski reported finding several serious issues in MySQL, including a flaw that can be exploited by remote attackers to inject malicious settings into my.cnf configuration files. The weakness can be leveraged for arbitrary code execution with root privileges, which can lead to the server running MySQL getting completely compromised.

The vulnerability, tracked as CVE-2016-6662, can be exploited by an attacker who can authenticate to the MySQL database via a network connection or a web interface such as phpMyAdmin, and through a SQL injection attack without requiring a direct connection.

Another, undisclosed MySQL vulnerability found by the researcher, identified as CVE-2016-6663, makes this zero-day easy to exploit even by low-privileged attackers.

According to Golunski, the attack works against the default configuration of all MySQL branches, including 5.5, 5.6 and 5.7. Exploitation is possible even if Linux security modules such as AppArmor and SELinux are installed.

The vulnerability also affects MariaDB and PerconaDB, but the developers of these database systems addressed the issue in late August. Oracle was notified about the bug in July 29, but it has yet to release a patch.

Golunski has decided to disclose the vulnerability because the patches released by PerconaDB and MariaDB developers were made available in public repositories, potentially allowing malicious actors to start exploiting the weakness.

The researcher has also published some proof-of-concept (PoC) code. Until Oracle releases patches, he has advised users to apply some temporary workarounds.

Advertisement. Scroll to continue reading.

“As temporary mitigations, users should ensure that no MySQL config files are owned by MySQL users, and create root-owned dummy my.cnf files that are not in use,” the expert wrote in his advisory. “These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”

Oracle’s next Critical Patch Update (CPU) is scheduled for October 18. SecurityWeek has reached out to the company for clarifications and will update this article if representatives respond.

Related Reading: New Security Features Added to MariaDB Enterprise

Related Reading: MySQL SSL/TLS Connections at Risk Due to BACKRONYM Flaw

Related Reading: Researchers Find 1PB of Data Exposed by Misconfigured Databases

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.