How to fix ‘MySQL Remote Root Code Execution’ / ‘Privilege Escalation’ (zero day ) vulnerability – CVE-2016-6662
On Sep 12th, Dawid Golunski announced CVE-2016-6662 aka MySQL Remote Root Code Execution / Privilege Escalation (0 day) vulnerability.
CVE-2016-6662 is reported as a critical exploit which can allow local and remote attackers to execute arbitrary code with root privileges in a vulnerable MySQL server.
The attackers can thus gain full access to the compromised server and steal confidential information such as credit card details or mess up with the website contents.
Majority of the websites are database-driven, most of them using MySQL servers. As a result, an exploit that involves MySQL-based database servers can affect a vast chunk.
How attackers exploit CVE-2016-6662 – MySQL Remote Root Code Execution / Privilege Escalation bug
Attackers can exploit this server vulnerability after gaining access to the database server in one of these two ways :
1. By obtaining an authenticated access to a MySQL database
Database user login details can be stolen in many ways by attackers. Accounts with easy and insecure passwords can be accessed via network connection or web interfaces such as phpMyAdmin.
2. Attack via SQL Injections
Web applications such as PHP and ASP are vulnerable to SQL injections. It is a code injection technique in which SQL statements are inserted into the code and database information is leaked by the attackers.
Once an access is gained to a database user account, attackers can execute remote code in the server. This code allows them to gain root access after a service restart.
This is known as privilege escalation and once root privilege is gained, attackers can just do anything in your servers. That’s why this exploit is considered a critical one.
By abusing MySQL logging functions, attackers can bypass security restrictions to do the following hacks:
1. Many servers that are not secured properly, may have config files owned by ‘mysql’ user instead of root user. Hackers can inject malicious settings into such configuration files.
2. Hackers can even create entirely new configuration files with malignant parameters in directories such as the MySQL data directory, which is writable by the ‘mysql’ user.
3. Privilege escalation renders attackers with MySQL admin privilege and thus enables them to modify the config files, even if the initially accessed account has only basic file permissions.
Are your servers vulnerable to MySQL Remote Root Code Execution (CVE-2016-6662)?
CVE-2016-6662 belongs to the category of zero-day vulnerability, which means that the affected software vendor isn’t aware of the vulnerability being exploited. So everyone that uses that software is vulnerable to an attack.
Unlike other kinds of attacks, defense against a zero-day attack is harder because no official patch or notification would be available from the vendor.
MySQL Remote Root Code Execution / Privilege Escalation vulnerability affects servers running the following versions of database servers:
MySQL server with versions (including the latest):
5.7.15 5.6.33 5.5.52
Since PerconaDB and MariaDB database servers are based on MySQL, servers running these software versions are also prone to this vulnerability.
Bobcares provides Outsourced Hosting Support for online businesses. Our services include Outsourced Web Hosting Support, Outsourced Server Support, Outsourced Help Desk Support, Outsource Live Chat Support and Phone Support Services.