Bug 1386564 (CVE-2016-5617, CVE-2016-6664) - CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
Summary: CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct...
Status: CLOSED ERRATA
Alias: CVE-2016-5617, CVE-2016-6664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161019,repor...
Keywords: Security
Depends On: 1386607 1386608 1386609 1458933 1463415 1463416 1463417 1463418
Blocks: 1375204 1386598
TreeView+ depends on / blocked
 
Reported: 2016-10-19 09:03 UTC by Adam Mariš
Modified: 2019-06-11 11:13 UTC (History)
27 users (show)

(edit)
A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:00:28 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2130 normal SHIPPED_LIVE Important: mysql55-mysql security update 2016-10-31 23:52:57 UTC
Red Hat Product Errata RHSA-2016:2749 normal SHIPPED_LIVE Important: rh-mysql56-mysql security update 2016-11-15 16:29:48 UTC
Red Hat Product Errata RHSA-2017:2192 normal SHIPPED_LIVE Moderate: mariadb security and bug fix update 2017-08-01 18:18:36 UTC
Red Hat Product Errata RHSA-2018:0279 normal SHIPPED_LIVE Moderate: rh-mariadb100-mariadb security update 2018-02-06 18:00:11 UTC
Red Hat Product Errata RHSA-2018:0574 None None None 2018-03-21 13:58 UTC

Description Adam Mariš 2016-10-19 09:03:13 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.

Reference:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881724.html#AppendixMSQL

Comment 1 Adam Mariš 2016-10-19 09:51:06 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1386608]

Comment 2 Adam Mariš 2016-10-19 09:51:20 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1386607]

Comment 3 Adam Mariš 2016-10-19 09:51:33 UTC
Created mariadb-galera tracking bugs for this issue:

Affects: fedora-all [bug 1386609]

Comment 5 errata-xmlrpc 2016-10-31 19:54:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2130 https://rhn.redhat.com/errata/RHSA-2016-2130.html

Comment 6 Andrej Nemec 2016-11-02 08:57:44 UTC
References:

http://seclists.org/fulldisclosure/2016/Nov/4

Comment 7 Tomas Hoger 2016-11-03 22:13:44 UTC
Further details of this issue are now available.  The problem is an insecure handling (owner and permissions setting) of error log file in mysqld_safe, which allows mysql system user to escalate their privileges to root system user.  Additionally, it was reported that two duplicate ids were assigned for this issue - CVE-2016-6664 and CVE-2016-5617.

External References:

https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.txt

Comment 9 Tomas Hoger 2016-11-08 11:44:53 UTC
MariaDB upstream blog post about CVE-2016-6663 and CVE-2016-6664, also explaining why they haven't fixed CVE-2016-6664 yet.

https://mariadb.com/resources/blog/update-security-vulnerabilities-cve-2016-6663-and-cve-2016-6664-related-mariadb

Comment 10 Tomas Hoger 2016-11-08 21:16:32 UTC
This issue is not relevant for MySQL and MariaDB packages for Red Hat Enterprise Linux 7.  mysqld_safe started from the init scripts (systemd service units) is not run under root user, but runs as mysql user, hence not allowing mysql -> root privilege escalation.  Additionally, the init script for the rh-mariadb101 collection for Red Hat Enterprise Linux 7 does not use mysqld_safe at all.

On Red Hat Enterprise Linux 7, this could only be an issue if mysqld_safe is run manually by the system administrator instead of using init scripts included in the packages.

Comment 11 Tomas Hoger 2016-11-09 09:58:24 UTC
The published exploit does not work against the default configuration of mysql, mysql55-mysql and mariadb55-mariadb packages for Red Hat Enterprise Linux 5 and 6, as those packages are configured to store the error log file in the /var/log directory.  As that is a root-owned directory not writable to the mysql user, mysql user can not replace the file with a symlink to a different file.

However, mysql user can bypass that restriction by changing the log file location via a $datadir/my.cnf file.

Comment 12 errata-xmlrpc 2016-11-15 11:31:54 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2749 https://rhn.redhat.com/errata/RHSA-2016-2749.html

Comment 15 Tomas Hoger 2017-01-03 10:42:43 UTC
The MySQL upstream fix did not completely address this issue and had multiple problems that were corrected in versions 5.5.54, 5.6.35, and 5.7.17:

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

via the following commits:

https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759
https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91
https://github.com/mysql/mysql-server/commit/c8f0eeb9c8596be83fefb7fef9f9871e53edb020

Problems corrected include:

- log-error setting was not restricted and allowed creation of arbitrary files even without performing symlink attack as described in comment 7.

- Protection against symlink attack was racy, making it easy to bypass.

- Existing symlinks were still used even though they were not chowned/chmoded after the original fix.  That could lead to file corruption, at least.

Updated fixes effectively disable all logging to file in mysqld_safe it it's running as root.

Comment 17 Tomas Hoger 2017-01-03 10:45:56 UTC
MariaDB upstream corrected this issue in version 5.5.54:

https://mariadb.com/kb/en/mariadb/mariadb-5554-release-notes/

via the following commit:

https://github.com/MariaDB/server/commit/8fcdd6b0ecbb966f4479856efe93a963a7a422f7

To avoid incompletely fixing this issue or breaking mysqld_safe logging, the above commit introduces new logging helper program - mysqld_safe_helper.  Log messages are piped to the helper program, which drops privileges before opening log file and copying its standard input to the log file.

Comment 18 Andrej Nemec 2017-01-13 15:56:15 UTC
MariaDB upstream also fixed this issue in version 10.0.29:

https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/

Comment 19 Tomas Hoger 2017-02-17 12:02:16 UTC
(In reply to Tomas Hoger from comment #15)
> The MySQL upstream fix did not completely address this issue and had
> multiple problems

That original fix is part of this commit:

https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c

which also corrects CVE-2016-6662.  It checks if $err_log is symlink before using touch / chmod / chown on it.

Comment 24 errata-xmlrpc 2017-08-01 19:41:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192

Comment 25 errata-xmlrpc 2018-02-06 10:58:24 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279

Comment 26 errata-xmlrpc 2018-03-21 13:58:21 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574


Note You need to log in before you can comment on or make changes to this bug.