Oracle, are you there? We need you!

Dawid Golunski, a Polish security researcher discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016–6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files.

The vulnerability that affect all currently supported MySQL versions as well as MariaDB and PerconaDB.

The vulnerability can be exploited via SQL injection attack, or by an attacker with valid credentials either locally or over the Web via phpMyAdmin:

“A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running”

Golunski has also published a proof-of-concept exploit code:

[embed]https://gist.github.com/andreafortuna/7c6e6d8aa936ef459fdbd9298b77452e[/embed]

More technical information on official advisory.

Patching?

From Golunski’s advisory:

The vulnerability was reported to Oracle on 29th of July 2016 and triaged
by the security team.
It was also reported to the other affected vendors including PerconaDB and MariaDB.

The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of
30th of August.
During the course of the patching by these vendors the patches went into
public repositories and the fixed security issues were also mentioned in the
new releases which could be noticed by malicious attackers.

As over 40 days have passed since reporting the issues and patches were already
mentioned publicly, a decision was made to start disclosing vulnerabilities
(with limited PoC) to inform users about the risks before the vendor's next 
CPU update that only happens at the end of October.

No official patches or mitigations are available at this time from the vendor. 
As temporary mitigations, users should ensure that no mysql config files are
owned by mysql user, and create root-owned dummy my.cnf files that are not in 
use.
These are by no means a complete solution and users should apply official vendor
patches as soon as they become available.

References

[embed]http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html[/embed]