Bug 1414429 (CVE-2017-3291)

Summary: CVE-2017-3291 mysql: unrestricted mysqld_safe's ledir (CPU Jan 2017)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, avibelli, ayoung, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, duge, gsterlin, hhorak, jbalunas, jjoyce, jorton, jschluet, jshepherd, kbasil, kvolny, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, rbryant, rrajasek, sclewis, slinaber, srevivo, tdecacqu, thoger, tjay, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-21 14:51:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1445517, 1445518, 1445533, 1445534, 1458933, 1463415, 1463416, 1463417, 1463418    
Bug Blocks: 1414362    

Description Tomas Hoger 2017-01-18 13:30:49 UTC 
It was discovered that the mysqld_safe could read ledir value - which specifies the directory where mysqld is stored - from configuration file.  This could allow a user with privileges to write to some mysql configuration file - either mysql OS user, or any local OS user able to write to the config via some other way, e.g. by exploiting CVE-2016-6662 - to escalate their privileges to root if mysqld_safe was run with root privileges.

This problem is related to this change applied as part of the CVE-2016-6662 fix:

https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c#diff-144aa2f11374843c969d96b7b84247eaR211

It introduced restriction that mysqld and mysqld_version options can only be specified on the command line and can not be defined in a configuration file.  However, such restriction was trivial to bypass while ledir was not restricted in a similar way.

Restriction for ledir was added in MySQL versions 5.5.54, 5.6.35, and 5.7.17.  The following related entry can be found in the release notes:

  The --ledir option now is accepted only on the command line, not in
  option files.

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

MySQL upstream commit:

https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea

The CVE was made public via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
Comment 2 Adam Mariš 2017-01-18 13:40:43 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1414387]
Comment 3 Adam Mariš 2017-01-18 13:40:55 UTC 
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1414386]
Comment 4 Tomas Hoger 2017-01-19 13:58:14 UTC 
This issue has very limited impact on MySQL and MariaDB packages included in Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 7, as mysqld_safe used to start MySQL or MariaDB database is run by systemd with mysql OS user privileges.  Therefore, it does not allow mysql -> root privilege escalation.  It may only allow local users different from mysql to escalate their privileges to the mysql OS user if they are able to write to one of the my.cnf files (e.g. by exploiting the CVE-2016-6662 issue).

On Red Hat Enterprise Linux 6, privilege escalation to root is possible.  Pre-requisite is that an attacker needs to have mysql OS user privileges, or ability to modify my.cnf.
Comment 5 Tomas Hoger 2017-02-03 10:23:39 UTC 
According to Oracle, this CVE also covers an insecure path use in mysqld_safe.

This code tries to find my_print_defaults command:

https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L466

It first tries relative to $MY_BASEDIR_VERSION, which can be set to $PWD:

https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L402

If root runs mysqld_safe while their $PWD is /tmp, arbitrary code controlled by some unprivileged local (not necessarily mysql) user can be executed.

Note that this issue is not exploitable when root user runs mysqld init script while their working directory is /tmp, as the init script used in Red Hat MySQL packages explicitly specifies --basedir when running mysqld_safe.

The issue was fixed upstream in:

https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247eaL397
Comment 10 errata-xmlrpc 2017-08-01 19:43:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192
Comment 11 errata-xmlrpc 2017-09-21 07:47:21 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787
Comment 12 errata-xmlrpc 2017-10-12 07:59:04 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886
Comment 16 errata-xmlrpc 2018-02-06 11:00:40 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279
Comment 19 errata-xmlrpc 2018-03-21 14:02:41 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574
Comment 20 Tomas Hoger 2018-03-21 14:51:21 UTC 
Acknowledgments:

Name: Red Hat Product Security