Red Hat Bugzilla – Bug 1414429
CVE-2017-3291 mysql: unrestricted mysqld_safe's ledir (CPU Jan 2017)
Last modified: 2018-04-06 08:29:56 EDT
It was discovered that the mysqld_safe could read ledir value - which specifies the directory where mysqld is stored - from configuration file. This could allow a user with privileges to write to some mysql configuration file - either mysql OS user, or any local OS user able to write to the config via some other way, e.g. by exploiting CVE-2016-6662 - to escalate their privileges to root if mysqld_safe was run with root privileges. This problem is related to this change applied as part of the CVE-2016-6662 fix: https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c#diff-144aa2f11374843c969d96b7b84247eaR211 It introduced restriction that mysqld and mysqld_version options can only be specified on the command line and can not be defined in a configuration file. However, such restriction was trivial to bypass while ledir was not restricted in a similar way. Restriction for ledir was added in MySQL versions 5.5.54, 5.6.35, and 5.7.17. The following related entry can be found in the release notes: The --ledir option now is accepted only on the command line, not in option files. http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html MySQL upstream commit: https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea The CVE was made public via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1414387]
Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1414386]
This issue has very limited impact on MySQL and MariaDB packages included in Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 7, as mysqld_safe used to start MySQL or MariaDB database is run by systemd with mysql OS user privileges. Therefore, it does not allow mysql -> root privilege escalation. It may only allow local users different from mysql to escalate their privileges to the mysql OS user if they are able to write to one of the my.cnf files (e.g. by exploiting the CVE-2016-6662 issue). On Red Hat Enterprise Linux 6, privilege escalation to root is possible. Pre-requisite is that an attacker needs to have mysql OS user privileges, or ability to modify my.cnf.
According to Oracle, this CVE also covers an insecure path use in mysqld_safe. This code tries to find my_print_defaults command: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L466 It first tries relative to $MY_BASEDIR_VERSION, which can be set to $PWD: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L402 If root runs mysqld_safe while their $PWD is /tmp, arbitrary code controlled by some unprivileged local (not necessarily mysql) user can be executed. Note that this issue is not exploitable when root user runs mysqld init script while their working directory is /tmp, as the init script used in Red Hat MySQL packages explicitly specifies --basedir when running mysqld_safe. The issue was fixed upstream in: https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247eaL397
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574
Acknowledgments: Name: Red Hat Product Security