Bug 1433010 (CVE-2016-5483, CVE-2017-3600) - CVE-2017-3600 mariadb, mysql: Incorrect input validation allowing code execution via mysqldump
Summary: CVE-2017-3600 mariadb, mysql: Incorrect input validation allowing code execut...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5483, CVE-2017-3600
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1443387 (view as bug list)
Depends On: 1433350 1445524 1445525 1445527 1445528 1458933
Blocks: 1433012 1443389
TreeView+ depends on / blocked
 
Reported: 2017-03-16 14:52 UTC by Adam Mariš
Modified: 2019-09-29 14:08 UTC (History)
36 users (show)

Fixed In Version: mysql 5.5.55, mysql 5.6.36, mysql 5.7.18, mariadb 5.5.53, mariadb 10.1.19, mariadb 10.0.28
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool.
Clone Of:
Environment:
Last Closed: 2018-03-19 22:17:15 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2192 normal SHIPPED_LIVE Moderate: mariadb security and bug fix update 2017-08-01 18:18:36 UTC
Red Hat Product Errata RHSA-2017:2787 normal SHIPPED_LIVE Important: rh-mysql56-mysql security and bug fix update 2017-09-21 11:42:12 UTC
Red Hat Product Errata RHSA-2017:2886 normal SHIPPED_LIVE Important: rh-mysql57-mysql security and bug fix update 2017-10-12 11:53:15 UTC

Description Adam Mariš 2017-03-16 14:52:34 UTC
An incorrect input validation flaw was found in mysqldump, mysqltest and mysql cli allowing attacker with CREATE TABLE permissions to escalate his privileges via specially crafted table name when an administrator restores from backup.

MariaDB upstream patches:

https://github.com/MariaDB/server/commit/5a43a31ee81bc181eeb5ef2bf0704befa6e0594d
https://github.com/MariaDB/server/commit/01b39b7b0730102b88d8ea43ec719a75e9316a1e
https://github.com/MariaDB/server/commit/383007c75d6ef5043fa5781956a6a02b24e2b79e

External References:

https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/
https://blog.tarq.io/cve-2016-5483-galera-remote-command-execution-via-crafted-database-name/

Comment 1 Adam Mariš 2017-03-17 12:57:47 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1433350]

Comment 2 Tomas Hoger 2017-03-21 10:17:52 UTC
MariaDB upstream corrected this issue in versions 5.5.53, 10.0.28, and 10.1.19.  Therefore, MariaDB packages shipped in Red Hat Software Collections were fixed via the following errata:

mariadb55-mariadb:
  https://rhn.redhat.com/errata/RHSA-2016-2131.html

rh-mariadb100-mariadb:
  https://rhn.redhat.com/errata/RHSA-2016-2927.html

rh-mariadb101-mariadb:
  https://rhn.redhat.com/errata/RHSA-2016-2928.html

Comment 4 Tomas Hoger 2017-03-21 15:04:53 UTC
This CVE is actually for 2 issues.


* Incorrect handling of newline character when generating comments as part of the mysqldump output.  When such dump file is later processed by the mysql command (e.g. to restore database backup), arbitrary shell or SQL command is executed with the privileges of the user running mysql.

Reporter demonstrates the problem in his blog post using a specially-crafted table name.  A table created with this SQL statement:

  CREATE TABLE `evil
  \! id
  select user(),@@version/*` (test text);

will cause mysqldump to generate this comment:

  --
  -- Table structure for table `evil
  \! id
  select user(),@@version/*`  
  --

Lines 3 and 4 are not properly commented out and hence will be executed as additional commands.

Reporter also includes these options to mitigate this problem:

  - Use --skip-comments when using mysqldump
  - Revoke create table privileges wherever possible (best practice anyway)
  - Only dump table data instead of the structure in scheduled backups
  - Use an alternative tool to backup your mysql data

Out of the listed options, the use of --skip-comments seems to be the least invasive way to mitigate this problem, as the generated SQL dump can still be restored by mysql without any changes to the restore procedure, it only makes the output less human-readable.

The attack via specially crafted table name can only be executed by a database user with privileges to create tables.  This privilege is frequently granted to non-administrative users, limited to specific database(s) owned by those users.

Additional attack vectors seem to exist for users with higher privileges such as   privileges to create databases.


* Incorrect handling of database names with newline characters when they are used in the USE statement processed by the mysql tool.

Reporter's blog post demonstrates the issue with a database created as:

  CREATE DATABASE `test
  \! id
  select user(),@@version; -- -`

mysqldump, when creating backup of all databases, will include the following USE command in its output:

  USE `test
  \! id
  select user(),@@version; -- -`;

The mysql command handled lines 2 and 3 as separate commands and not as part of the name passed to the USE command.

Reporter provides these options to mitigate this issue:

  - Revoke create database privileges wherever possible, as is best practice
  - Do not use mysqldump as your SST method, xtrabackup-v2 is the reccomended
    method
  - Audit your databases for tables containing new lines. You can do this
    with a simple one-liner: find /var/lib/mysql -type d -name "*@000a*"

Unlike the first issue, this one can not be easily mitigated by the use of --skip-comments option passed to mysqldump.

On the other hand, this problem is triggered by a malicious database name, so attacker would need to have privileges to create databases to exploit this issue.  Such privilege is usually restricted to database administrative users.

Reporter also notes that in Galera deployments, this issue can be triggered even outside backup restore procedure if mysqldump wsrep_sst_method is configured.  The default method in mariadb-galera packages included in Red Hat products is rsync.

Comment 5 Tomas Hoger 2017-04-12 14:18:58 UTC
MySQL was fixed in versions 5.5.55, 5.6.36, and 5.7.18.

MySQL upstream commit:

https://github.com/mysql/mysql-server/commit/6fa5e0814662d691be1a29bf88332348ec7c50c9

Relevant release notes entry:

  mysqldump failed to properly quote certain identifiers in SQL statements
  written to the dump output. (Bug #25717383)

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html

Comment 6 Tomas Hoger 2017-04-21 13:02:51 UTC
It should be noted that the MySQL fixes linked in comment 5 only address the first problem descried in comment 4, but not the second one.

Comment 7 Tomas Hoger 2017-04-23 12:12:23 UTC
*** Bug 1443387 has been marked as a duplicate of this bug. ***

Comment 8 Tomas Hoger 2017-04-23 12:25:12 UTC
Oracle assigned a duplicates CVE-2017-3600 for this issue.

Comment 11 Andrej Nemec 2017-04-26 06:43:12 UTC
Mitre rejected CVE-2016-5483 in favor of CVE-2017-3600.

Name: CVE-2016-5483
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5483
Assigned: 20160616

** REJECT **
DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2017-3600.
Reason: This candidate is a reservation duplicate of CVE-2017-3600.
Notes: All CVE users should reference CVE-2017-3600 instead of this
candidate. All references and descriptions in this candidate have
been removed to prevent accidental usage.

Comment 14 errata-xmlrpc 2017-08-01 19:44:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192

Comment 19 errata-xmlrpc 2017-09-21 07:47:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787

Comment 20 errata-xmlrpc 2017-10-12 07:59:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886

Comment 21 Tomas Hoger 2018-08-01 20:03:45 UTC
(In reply to Tomas Hoger from comment #5)
> MySQL was fixed in versions 5.5.55, 5.6.36, and 5.7.18.
> 
> MySQL upstream commit:
> 
> https://github.com/mysql/mysql-server/commit/6fa5e0814662d691be1a29bf88332348ec7c50c9

The fix_identifier_with_newline() function introduced in this commit was found to contain a buffer overflow that can be triggered via long mysqldump command line arguments, see CVE-2018-3070 / bug 1602369.


Note You need to log in before you can comment on or make changes to this bug.