Bug 1414429 (CVE-2017-3291) - CVE-2017-3291 mysql: unrestricted mysqld_safe's ledir (CPU Jan 2017)
Summary: CVE-2017-3291 mysql: unrestricted mysqld_safe's ledir (CPU Jan 2017)
Status: CLOSED ERRATA
Alias: CVE-2017-3291
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170117,repor...
Keywords: Security
Depends On: 1445517 1445518 1445533 1445534 1458933 1463415 1463416 1463417 1463418
Blocks: 1414362
TreeView+ depends on / blocked
 
Reported: 2017-01-18 13:30 UTC by Tomas Hoger
Modified: 2018-04-06 12:29 UTC (History)
33 users (show)

(edit)
It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root.
Clone Of:
(edit)
Last Closed: 2018-03-21 14:51:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2192 normal SHIPPED_LIVE Moderate: mariadb security and bug fix update 2017-08-01 18:18:36 UTC
Red Hat Product Errata RHSA-2017:2787 normal SHIPPED_LIVE Important: rh-mysql56-mysql security and bug fix update 2017-09-21 11:42:12 UTC
Red Hat Product Errata RHSA-2017:2886 normal SHIPPED_LIVE Important: rh-mysql57-mysql security and bug fix update 2017-10-12 11:53:15 UTC
Red Hat Product Errata RHSA-2018:0279 normal SHIPPED_LIVE Moderate: rh-mariadb100-mariadb security update 2018-02-06 18:00:11 UTC
Red Hat Product Errata RHSA-2018:0574 None None None 2018-03-21 14:02 UTC

Description Tomas Hoger 2017-01-18 13:30:49 UTC
It was discovered that the mysqld_safe could read ledir value - which specifies the directory where mysqld is stored - from configuration file.  This could allow a user with privileges to write to some mysql configuration file - either mysql OS user, or any local OS user able to write to the config via some other way, e.g. by exploiting CVE-2016-6662 - to escalate their privileges to root if mysqld_safe was run with root privileges.

This problem is related to this change applied as part of the CVE-2016-6662 fix:

https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c#diff-144aa2f11374843c969d96b7b84247eaR211

It introduced restriction that mysqld and mysqld_version options can only be specified on the command line and can not be defined in a configuration file.  However, such restriction was trivial to bypass while ledir was not restricted in a similar way.

Restriction for ledir was added in MySQL versions 5.5.54, 5.6.35, and 5.7.17.  The following related entry can be found in the release notes:

  The --ledir option now is accepted only on the command line, not in
  option files.

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

MySQL upstream commit:

https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea

The CVE was made public via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL

Comment 2 Adam Mariš 2017-01-18 13:40:43 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1414387]

Comment 3 Adam Mariš 2017-01-18 13:40:55 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1414386]

Comment 4 Tomas Hoger 2017-01-19 13:58:14 UTC
This issue has very limited impact on MySQL and MariaDB packages included in Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 7, as mysqld_safe used to start MySQL or MariaDB database is run by systemd with mysql OS user privileges.  Therefore, it does not allow mysql -> root privilege escalation.  It may only allow local users different from mysql to escalate their privileges to the mysql OS user if they are able to write to one of the my.cnf files (e.g. by exploiting the CVE-2016-6662 issue).

On Red Hat Enterprise Linux 6, privilege escalation to root is possible.  Pre-requisite is that an attacker needs to have mysql OS user privileges, or ability to modify my.cnf.

Comment 5 Tomas Hoger 2017-02-03 10:23:39 UTC
According to Oracle, this CVE also covers an insecure path use in mysqld_safe.

This code tries to find my_print_defaults command:

https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L466

It first tries relative to $MY_BASEDIR_VERSION, which can be set to $PWD:

https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L402

If root runs mysqld_safe while their $PWD is /tmp, arbitrary code controlled by some unprivileged local (not necessarily mysql) user can be executed.

Note that this issue is not exploitable when root user runs mysqld init script while their working directory is /tmp, as the init script used in Red Hat MySQL packages explicitly specifies --basedir when running mysqld_safe.

The issue was fixed upstream in:

https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247eaL397

Comment 10 errata-xmlrpc 2017-08-01 19:43:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192

Comment 11 errata-xmlrpc 2017-09-21 07:47:21 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787

Comment 12 errata-xmlrpc 2017-10-12 07:59:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886

Comment 16 errata-xmlrpc 2018-02-06 11:00:40 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279

Comment 19 errata-xmlrpc 2018-03-21 14:02:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574

Comment 20 Tomas Hoger 2018-03-21 14:51:21 UTC
Acknowledgments:

Name: Red Hat Product Security


Note You need to log in before you can comment on or make changes to this bug.