The most severe of the vulnerabilities, CVE-2016-6664, is rated “High/Critical” and could allow attackers to escalate their privileges to root user.
The most severe of the vulnerabilities, CVE-2016-6664, is rated “High/Critical” and could allow attackers to escalate their privileges to root user.

Legal Hackers researcher Dawid Golunski spotted a pair of MySQL vulnerabilities, which if combined, could allow low privileged local database users to escalate their system privileges to root system account and allow them to fully compromise the server.

The most dangerous of the two vulnerabilities, CVE-2016-6664, is rated “High/Critical” and could allow attackers who have already gained access to MySQL systems to fully compromise the system by escalating their privileges to root user, according to a Nov. 1 blog post.

The vulnerability affects MySQL versions 5.5.51, 5.6.32, and 5.7.14; all current versions of MariaDB, Percona Server versions 5.5.51-38.2, 5.6.32-78-1, and 5.7.14-8; and Percona XtraDB Cluster versions 5.6.32-25.17, 5.7.14-26.17, and 5.5.41-37.0.

The second vulnerability, CVE 2016-6663, is rated "Critical" and could allow a low-privileged local system user with access to the affected database to escalate their privileges and execute arbitrary code as the database system, according to a separated Nov. 1 blog post.

This bug also effects similar versions of MySQL, MariaDB, Percona Server, and Percona XtraDB.

“A successful exploitation would allow the attacker to gain access to 'mysql' system account which would grant them access to all data stored within the affected database,” Golunski told SC Media via emailed comments. “No special tools are required except for the PoC exploit code included in my advisory to exploit the issue.”

It's important to note, he added, that although the CVE-2016-6664 vulnerability cannot be exploited on its own, it can be chained with the CVE-2016-6663 to escalate privileges on the system from MySQL to root user which would allow full compromise of the system on which a vulnerable database is hosted.

“It is also worth noting that the vulnerability could easily be exploited in shared hosting environments in which every user has only got access to their individual database,” Golunski said.

The researcher reported both of the vulnerabilities to Oracle security in July 2016 and said that the flaws were fixed in the latest Oracle critical patch update. MariaDB and PerconaDB have also been patched with the exception of CVE-2016-6664 in MariaDB, which was postponed until the next set of planned releases.

MariaDB released a Nov. 2 advisory concerning both flaws and urging users to upgrade to the most recent versions to protect against the attacks.

“This is a good reminder that along with deploying the key cyber security tools such as advanced malware detection and mitigation, it's essential that organizations commit to the basics, including programmatic, regular patch program for servers, applications and other infrastructure in the data center,” Lastline CMO Bert Rankin told SC Media via emailed comments. “Vulnerabilities such as this bug are potential dangers only to those organizations that aren't on top of their database updates - but it's amazing how many aren't."