MySQL zero-day exploit

A vulnerability in the MySQL database has been detected, allowing attackers to compromise servers by remotely injecting malicious settings and modifying MySQL configuration files (my.cnf).

Severity

High

CVE Number

This issue has been assigned CVE-2016-6662.

Impacted Servers

The vulnerability affects MySQL servers in default configurations in all version branches (5.5, 5.6, and 5.7), including the latest versions, as well as MySQL-derived databases MariaDB and PerconaDB.

List of specific locations for MySQL files:

  • /etc/my.cnf, Global options
  • /etc/mysql/my.cnf, Global options
  • SYSCONFDIR/my.cnf, Global options
  • $MYSQL_HOME/my.cnf, Server-specific options (server only)
  • defaults-extra-file, File specified with –defaults-extra-file, if any
  • ~/.my.cnf, User-specific options

Note: Not all of these configuration files will exist on any given system. The defaults-extra-file may not even exist or be referenced to depending on the server configuration.

Recommended actions

Below are the current recommended actions for system administrators. We will provide more action items as we investigate this issue further.

  • Apply patches from Debian or Ubuntu
  • Creating dummy my.cnf files in all the locations that MySQL reads from.
  • Ensuring all my.cnf files are only writable by root.
  • Ensuring that all my.cnf files are chattr +i
  • Putting a checksum integrity scanner into place for all my.cnf files, and having it check frequently to ensure the files match the checksums on record.
  • Restrict all incoming and outgoing traffic on MySQL server to port 3306 only. Specific on the outgoing to mitigate the possibility of the attacker gaining remote shell access to the server via outgoing connections.
  • Review MySQL user permissions on the server and remove File, Trigger, Grant, and/or Super privileges from users that do not require them.
    • In the “mysql” database:
      • SELECT * FROM db WHERE trigger_priv=”Y” OR grant_priv=”Y”;
      • SELECT * FROM user WHERE trigger_priv=”Y” OR grant_priv=”Y” OR file_priv=”Y” OR super_priv=”Y”;
  • Restrict where startup and configuration files can be found ($malloc_dirs) to help prevent uploaded libraries from being used.

More information