Bug 882606 (CVE-2012-5613)

Summary: CVE-2012-5613 mysql: database privilege escalation using FILE privilege
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: byte, hhorak, jlieskov, redhat, roomojee, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121201,reported=20121202,source=internet,cvss2=4.6/AV:N/AC:H/Au:S/C:P/I:P/A:P,rhel-5/mysql=new,rhel-6/mysql=new,fedora-all/mysql=new
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-21 04:17:33 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 882596    

Description Huzaifa S. Sidhpurwala 2012-12-02 02:01:05 EST
A Database User Privilege Elevation was found in MySQL. An attacker with 'FILE'  privilege could use this flaw elevate its permissions to that of the MySQL admin user.

Reference:
http://seclists.org/fulldisclosure/2012/Dec/6

This issue was assigned CVE-2012-5613.
Comment 1 Jan Lieskovsky 2012-12-03 06:28:44 EST
Some other references:
  http://www.openwall.com/lists/oss-security/2012/12/02/3
  http://www.openwall.com/lists/oss-security/2012/12/02/4

--

The issue is disputed:
* CVE-2012-5613:

** DISPUTED **

MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and
possibly other versions, when configured to assign the FILE privilege
to users who should not have administrative privileges, allows remote
authenticated users to gain privileges by leveraging the FILE
privilege to create files as the MySQL administrator. NOTE: the vendor
disputes this issue, stating that this is only a vulnerability when
the administrator does not follow recommendations in the product's
installation documentation. NOTE: it could be argued that this should
not be included in CVE because it is a configuration issue.

--
Comment 2 Huzaifa S. Sidhpurwala 2013-01-21 04:17:33 EST
This is not a security issue. As per MySQL manual:

   * The `FILE' privilege can be abused to read into a database table
     any files that the MySQL server can read on the server host. This
     includes all world-readable files and files in the server's data
     directory.  The table can then be accessed using *Note `SELECT':
     select. to transfer its contents to the client host.

Red Hat recommends not to grant `FILE' privilege to nonadministrative/untrusted
users. Any user that has this privilege can write a file anywhere in the file
system with the privileges of the mysqld. daemon.

Additionally, MySQL provides a --secure-file-priv option that allows to restrict 
all FILE operations to a specific directory.

Closing this bug as a non-issue.

References:
http://dev.mysql.com/doc/refman/5.0/en/privileges-provided.html#priv_file
http://dev.mysql.com/doc/refman/5.0/en/server-system-variables.html#sysvar_secure_file_priv
http://www.openwall.com/lists/oss-security/2012/12/02/4