Bug 1386564 (CVE-2016-5617, CVE-2016-6664)
| Summary: | CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apevec, ayoung, byte, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, fdinitto, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, slinaber, srevivo, tdecacqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mysql 5.5.52, mysql 5.6.33, mysql 5.7.15 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:00:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1386607, 1386608, 1386609, 1458933, 1463415, 1463416, 1463417, 1463418 | ||
| Bug Blocks: | 1375204, 1386598 | ||
|
Description
Adam Mariš
2016-10-19 09:03:13 UTC
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1386608] Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1386607] Created mariadb-galera tracking bugs for this issue: Affects: fedora-all [bug 1386609] This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2130 https://rhn.redhat.com/errata/RHSA-2016-2130.html References: http://seclists.org/fulldisclosure/2016/Nov/4 Further details of this issue are now available. The problem is an insecure handling (owner and permissions setting) of error log file in mysqld_safe, which allows mysql system user to escalate their privileges to root system user. Additionally, it was reported that two duplicate ids were assigned for this issue - CVE-2016-6664 and CVE-2016-5617. External References: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.txt MariaDB upstream blog post about CVE-2016-6663 and CVE-2016-6664, also explaining why they haven't fixed CVE-2016-6664 yet. https://mariadb.com/resources/blog/update-security-vulnerabilities-cve-2016-6663-and-cve-2016-6664-related-mariadb This issue is not relevant for MySQL and MariaDB packages for Red Hat Enterprise Linux 7. mysqld_safe started from the init scripts (systemd service units) is not run under root user, but runs as mysql user, hence not allowing mysql -> root privilege escalation. Additionally, the init script for the rh-mariadb101 collection for Red Hat Enterprise Linux 7 does not use mysqld_safe at all. On Red Hat Enterprise Linux 7, this could only be an issue if mysqld_safe is run manually by the system administrator instead of using init scripts included in the packages. The published exploit does not work against the default configuration of mysql, mysql55-mysql and mariadb55-mariadb packages for Red Hat Enterprise Linux 5 and 6, as those packages are configured to store the error log file in the /var/log directory. As that is a root-owned directory not writable to the mysql user, mysql user can not replace the file with a symlink to a different file. However, mysql user can bypass that restriction by changing the log file location via a $datadir/my.cnf file. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2749 https://rhn.redhat.com/errata/RHSA-2016-2749.html The MySQL upstream fix did not completely address this issue and had multiple problems that were corrected in versions 5.5.54, 5.6.35, and 5.7.17: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html via the following commits: https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759 https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91 https://github.com/mysql/mysql-server/commit/c8f0eeb9c8596be83fefb7fef9f9871e53edb020 Problems corrected include: - log-error setting was not restricted and allowed creation of arbitrary files even without performing symlink attack as described in comment 7. - Protection against symlink attack was racy, making it easy to bypass. - Existing symlinks were still used even though they were not chowned/chmoded after the original fix. That could lead to file corruption, at least. Updated fixes effectively disable all logging to file in mysqld_safe it it's running as root. MariaDB upstream corrected this issue in version 5.5.54: https://mariadb.com/kb/en/mariadb/mariadb-5554-release-notes/ via the following commit: https://github.com/MariaDB/server/commit/8fcdd6b0ecbb966f4479856efe93a963a7a422f7 To avoid incompletely fixing this issue or breaking mysqld_safe logging, the above commit introduces new logging helper program - mysqld_safe_helper. Log messages are piped to the helper program, which drops privileges before opening log file and copying its standard input to the log file. MariaDB upstream also fixed this issue in version 10.0.29: https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/ (In reply to Tomas Hoger from comment #15) > The MySQL upstream fix did not completely address this issue and had > multiple problems That original fix is part of this commit: https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c which also corrects CVE-2016-6662. It checks if $err_log is symlink before using touch / chmod / chown on it. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574 |