Bug 1414423 (CVE-2017-3265) - CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017)
Summary: CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017)
Status: CLOSED ERRATA
Alias: CVE-2017-3265
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170117,repor...
Keywords: Security
Depends On: 1414386 1445537 1445538 1458940 1463411 1463412 1463413 1463414
Blocks: 1414362
TreeView+ depends on / blocked
 
Reported: 2017-01-18 13:05 UTC by Tomas Hoger
Modified: 2019-06-08 21:43 UTC (History)
31 users (show)

(edit)
Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root.
Clone Of:
(edit)
Last Closed: 2018-03-21 14:49:31 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2192 normal SHIPPED_LIVE Moderate: mariadb security and bug fix update 2017-08-01 18:18:36 UTC
Red Hat Product Errata RHSA-2017:2787 normal SHIPPED_LIVE Important: rh-mysql56-mysql security and bug fix update 2017-09-21 11:42:12 UTC
Red Hat Product Errata RHSA-2018:0279 normal SHIPPED_LIVE Moderate: rh-mariadb100-mariadb security update 2018-02-06 18:00:11 UTC
Red Hat Product Errata RHSA-2018:0574 None None None 2018-03-21 14:02 UTC

Description Tomas Hoger 2017-01-18 13:05:49 UTC
Multiple cases of insecure use of chmod and chown were found in the MySQL init script:

- In database directory initialization code:
https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L97

- In code handling error log file creation and permission setting:
https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L73

The mysql OS user could use these flaws to escalate privileges to root.

Note that the second issue is only exploitable in configurations where log file is stored in a directory writable to the mysql OS user.  If log file is stored in the /var/log directory, mysql user is not able to replace it with a link to some other file.

This issue was fixed in MySQL versions 5.5.54, 5.6.35, and 5.7.17.  The following related entry can be found in the release notes:

  Initialization scripts create the error log file only if the base
  directory is /var/log or /var/lib.

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

MySQL upstream commit:

https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-5fccc3d0e109e8f9ad0653728bd1d975

Comment 2 Tomas Hoger 2017-01-18 13:15:41 UTC
The CVE was made public via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL

Comment 3 Adam Mariš 2017-01-18 13:40:15 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1414387]

Comment 4 Adam Mariš 2017-01-18 13:40:30 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1414386]

Comment 5 Tomas Hoger 2017-01-25 13:11:49 UTC
This flaw is in the SysV init script used in upstream RPM packages for Red Hat Enterprise Linux and Oracle Enterprise Linux.  Red Hat MySQL packages does not use init script from MySQL sources, but include own init script.  However, these init scripts have common origin and share this issue.

mysql packages in Red Hat Enterprise Linux 5 and 6 are affected and contain the vulnerable code in /etc/rc.d/init.d/mysqld.

mysql55-mysql packages in Red Hat Enterprise Linux 5 are affected, init script is /etc/rc.d/init.d/mysql55-mysqld.

mariadb packages in Red Hat Enterprise Linux 7 do not include init script as the system uses systemd.  The affected code can be found in /usr/libexec/mariadb-prepare-db-dir which is run as ExecStartPre script as defined in the mariadb.service systemd unit file.  As all commands executed from the mariadb.service unit are run with mysql OS user privileges, root privilege escalation is not possible.  It would only be possible if the script was manually run by the root user.

rh-mysql56-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 include the affected code in /opt/rh/rh-mysql56/root/usr/libexec/mysql-prepare-db-dir, which is called by the init script.  Issues were partially addressed in the recent RHSA-2016:2749, which removed recursive chown of the data directory, and added an incomplete symlink check for the error log file.

rh-mysql56-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 7 include the same version of the mysql-prepare-db-dir script as is used for Red Hat Enterprise Linux 6.  The script is configured as ExecStartPre in the rh-mysql56-mysqld.service unit file.  However, unlike mariadb packages in Red Hat Enterprise Linux 7, pre-start scripts are run with root privileges rather than mysql user privileges (configured using PermissionsStartOnly=true).

rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the affected code in /opt/rh/rh-mysql57/root/usr/libexec/mysql-prepare-db-dir.  The script is run form the rh-mysql57-mysqld init script or the rh-mysql57-mysqld.service systemd unit, and in both cases it's run with mysql user privileges, and therefore root privilege escalation is not possible.

rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 7 include additional systemd unit - rh-mysql57-mysqld@.service - which runs another pre-start script - /opt/rh/rh-mysql57/root/usr/bin/mysqld_pre_systemd.  The script is run with root privileges, and contains similar vulnerable code for creating and setting permissions on the error log file.  However, this unit file does not properly set environment before running mysqld, causing it to fail to run.  Therefore, the unit file is very unlikely to be used.

rh-mariadb100-mariadb packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the vulnerable code in /opt/rh/rh-mariadb100/root/usr/libexec/mysql-prepare-db-dir.  The script is run from the rh-mariadb100-mariadb init script or rh-mariadb100-mariadb.service systemd unit.  On Red Hat Enterprise Linux 6, the script is run with root privileges, but it's run with mysql privileges on Red Hat Enterprise Linux 7.  Therefore, privilege escalation is only possible on Red Hat Enterprise Linux 6.

rh-mariadb101-mariadb packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the vulnerable code in /opt/rh/rh-mariadb101/root/usr/libexec/mysql-prepare-db-dir.  The script is run from the rh-mariadb101-mariadb init script or rh-mariadb101-mariadb.service and rh-mariadb101-mariadb@.service systemd units.  Similarly to the rh-mariadb100 collection, the script is only run with root privileges on Red Hat Enterprise Linux 6, making only that version vulnerable to the privilege escalation issue.

mariadb-galera packages in Red Hat Enterprise Linux OpenStack Platform 5 for Red Hat Enterprise Linux 6 include the vulnerable code in the /etc/rc.d/init.d/mysqld init script and are affected by this problem.

mariadb-galera packages in Red Hat Enterprise Linux OpenStack Platform 5, 6, 7, 8, 9, and 10 for Red Hat Enterprise Linux 7 include the vulnerable code in /usr/libexec/mariadb-prepare-db-dir, which is run as pre-start script from the mariadb.service systemd unit.  The script is run with mysql user privileges and therefore no privilege escalation is possible.

Comment 6 Tomas Hoger 2017-01-25 13:32:02 UTC
(In reply to Tomas Hoger from comment #5)
> rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat
> Enterprise Linux 7 include additional systemd unit -
> rh-mysql57-mysqld@.service - which runs another pre-start script -
> /opt/rh/rh-mysql57/root/usr/bin/mysqld_pre_systemd.  The script is run with
> root privileges, and contains similar vulnerable code for creating and
> setting permissions on the error log file.

This issue is addressed in MySQL 5.7.17:

https://github.com/mysql/mysql-server/commit/76e9d7e5b30365e8b167e2070ee00f81cb115b8b
https://github.com/mysql/mysql-server/commit/7a5145e445ee802241957eb5290a3e65ea4da70c

Comment 10 errata-xmlrpc 2017-08-01 19:43:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192

Comment 11 errata-xmlrpc 2017-09-21 07:47:10 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787

Comment 12 errata-xmlrpc 2018-02-06 11:00:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279

Comment 14 errata-xmlrpc 2018-03-21 14:02:18 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574

Comment 15 Tomas Hoger 2018-03-21 14:49:50 UTC
Acknowledgments:

Name: Red Hat Product Security


Note You need to log in before you can comment on or make changes to this bug.