Bug 1378936 (CVE-2016-5616, CVE-2016-6663) - CVE-2016-5616 CVE-2016-6663 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
Summary: CVE-2016-5616 CVE-2016-6663 mysql: race condition while setting stats during ...
Status: NEW
Alias: CVE-2016-5616, CVE-2016-6663
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160912,repor...
Keywords: Security
: 1386562 (view as bug list)
Depends On: 1393306 1393309 1393313 1393314 1397309 1397310 1429974 1429975
Blocks: 1375204 1386598
TreeView+ depends on / blocked
 
Reported: 2016-09-23 14:35 UTC by Tomas Hoger
Modified: 2019-05-02 21:51 UTC (History)
38 users (show)

(edit)
A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2131 normal SHIPPED_LIVE Important: mariadb55-mariadb security update 2016-11-01 02:23:20 UTC
Red Hat Product Errata RHSA-2016:2595 normal SHIPPED_LIVE Important: mariadb security and bug fix update 2016-11-03 12:11:21 UTC
Red Hat Product Errata RHSA-2016:2749 normal SHIPPED_LIVE Important: rh-mysql56-mysql security update 2016-11-15 16:29:48 UTC
Red Hat Product Errata RHSA-2016:2927 normal SHIPPED_LIVE Important: rh-mariadb100-mariadb security update 2016-12-08 21:06:06 UTC
Red Hat Product Errata RHSA-2016:2928 normal SHIPPED_LIVE Important: rh-mariadb101-mariadb security update 2016-12-08 21:05:53 UTC
Red Hat Product Errata RHSA-2017:0184 normal SHIPPED_LIVE Important: mysql security update 2017-01-24 16:45:26 UTC

Description Tomas Hoger 2016-09-23 14:35:00 UTC
Dawid Golunski, reporter of CVE-2016-6662 (bug 1375198), mentioned existence of a privilege escalation vulnerability which should allow a non-privileged database user without FILE permissions to escalate their privileges to database or system administrator.  Quoting from the advisory for CVE-2016-6662:

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt

  It could also be combined with CVE-2016-6663 vulnerability which will be released
  shortly and could allow certain attackers to escalate their privileges to root 
  even without FILE privilege.

No further details are available at the moment.

Comment 3 Tomas Hoger 2016-10-25 07:57:12 UTC
This issue is now listed as fixed in MariaDB versions 5.5.52 and 10.1.18:

https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/

According to MariaDB upstream, the CVE is for race condition issue fixed in this commit:

https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805

Corresponding MySQL commit is:

https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291

and it was applied in MySQL versions 5.5.52, 5.6.33, and 5.7.15.

Comment 4 Tomas Hoger 2016-10-25 08:00:03 UTC
We also believe that Oracle decided to assign a duplicate CVE id for this issue - CVE-2016-5616 tracked via bug 1386562.

Also see bug 1386562 comment 4 for information on how this issue is mitigated by the default configuration of MySQL/MariaDB packages as shipped in Red Hat products.

Comment 6 errata-xmlrpc 2016-10-31 22:24:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2131 https://rhn.redhat.com/errata/RHSA-2016-2131.html

Comment 7 Andrej Nemec 2016-11-02 08:57:22 UTC
References:

http://seclists.org/fulldisclosure/2016/Nov/4

Comment 10 errata-xmlrpc 2016-11-03 20:51:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2595 https://rhn.redhat.com/errata/RHSA-2016-2595.html

Comment 11 Tomas Hoger 2016-11-03 21:45:54 UTC
(In reply to Tomas Hoger from comment #4)
> We also believe that Oracle decided to assign a duplicate CVE id for this
> issue - CVE-2016-5616 tracked via bug 1386562.

The original flaw reporter has now also confirmed that the CVE-2016-5616 is a duplicate id for the issue that originally got CVE-2016-6663.  His advisory also notes that the setting of symbolic-links = 0 (which is used by default in all MySQL and MariaDB packages for Red Hat Enterprise Linux 6 and later) mitigates this issue.

External References:

https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt

Comment 12 Tomas Hoger 2016-11-03 21:49:48 UTC
*** Bug 1386562 has been marked as a duplicate of this bug. ***

Comment 13 Tomas Hoger 2016-11-03 21:54:24 UTC
(In reply to Tomas Hoger from comment #4)
> Also see bug 1386562 comment 4 for information on how this issue is
> mitigated by the default configuration of MySQL/MariaDB packages as shipped
> in Red Hat products.

Copying the whole text of bug 1386562 comment 4 here, as bug 1386562 was closed as duplicate of this bug.

--

The only change in MyISAM sub-component of MySQL in the listed versions is:

https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291

To exploit this flaw, attacker needs to have a local shell access on the server running MySQL server, and have write access to the data directory used to store database files.  The data directory is normally only writeable to the mysql system user, who has full control over database files anyway.

However, MyISAM engine allows users creating database tables to specify location where data files are stored using DATA DIRECTORY and INDEX DIRECTORY clauses for CREATE TABLE.  That way, database files can be stored in any directory writeable to a local user.

The DATA DIRECTORY and INDEX DIRECTORY clause is only applied when mysqld is running with symlink support enabled.  The symlinks support is controlled via symbolic-links configuration directive and --symbolic-links / --skip-symbolic-links command line options.  The default configuration of all MySQL and MariaDB packages on Red Hat Enterprise Linux 6 and later is to disable symlink support - symbolic-links=0 setting is used in the default my.cnf.  With this setting, only mysql system user should be able to exploit this flaw.

The mysql packages on Red Hat Enterprise Linux 5 have symlink support enabled by default, however, Red Hat has been recommending disabling symlink support since 2010:

https://rhn.redhat.com/errata/RHSA-2010-0109.html

Comment 23 errata-xmlrpc 2016-11-15 11:30:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2749 https://rhn.redhat.com/errata/RHSA-2016-2749.html

Comment 27 errata-xmlrpc 2016-12-08 16:06:46 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2928 https://rhn.redhat.com/errata/RHSA-2016-2928.html

Comment 28 errata-xmlrpc 2016-12-08 16:12:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2927 https://rhn.redhat.com/errata/RHSA-2016-2927.html

Comment 29 errata-xmlrpc 2017-01-24 11:46:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0184 https://rhn.redhat.com/errata/RHSA-2017-0184.html


Note You need to log in before you can comment on or make changes to this bug.