Protect against MySQL vulnerability CVE-2016-6662
OverviewOn September 12, 2016, a security vulnerability affecting all current versions of MySQL and its various vendors: Oracle, Percona Server, and MariaDB. The vulnerability, numbered CVE-2016-6662, allows an attacker to override the MySQL config file with various settings for the next time MySQL is restarted. If an attacker can load custom code on the server, it is possible for MySQL to load that code as a shared dynamic library by utilizing the --malloc-lib option in the mysqld_safe script. The attack vector requires several pieces to be in place:
- Config files must be writeable by the MySQL User.
- The attacker must be able to inject code in the config files MySQL reads at startup by overwriting the the location of the general_log.
- To run custom code, the script that manages the mysqld process must allow loading dynamic libraries. Specifically, this is the --malloc-lib option allowed by mysqld_safe.
Secure your application against SQL InjectionThis vulnerability really only has merit to attackers that have remote or local access directly to your MySQL server, or through SQL Injection in the application. You can follow the recommended steps at the end of our post on SQL Injection to harden against such attacks.
Does this vulnerability affect AWS RDS?Some are wondering if this vulnerability affects any flavor of Amazon's RDS. In general, the attack relies on the ability to enable the general_log file to inject configuration text into a file MySQL recognizes as a config file. But RDS removes the ability to set global variables by users, requiring changes to be made via parameter groups. The general_log_file parameter is not modifiable.
A word of cautionWhile CVE-2016-6662 specifically targets MySQL-writeable configuration files and the ability to create files on the server with FILE permissions, the author provides a word of caution that implies there will be additional requirements to protect against this type of attack:
# Full PoC will be released at a later date, and will show how attackers could # exploit the vulnerability on default installations of MySQL on systems with no # writable my.cnf config files available. # # The upcoming advisory CVE-2016-6663 will also make the exploitation trivial # for certain low-privileged attackers that do not have FILE privilege.