This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1378936 - (CVE-2016-5616, CVE-2016-6663) CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160912,repor...
: Security
: 1386562 (view as bug list)
Depends On: 1393306 1393309 1393313 1393314 1397309 1397310 1429974 1429975
Blocks: 1386598 1375204
  Show dependency treegraph
 
Reported: 2016-09-23 10:35 EDT by Tomas Hoger
Modified: 2017-03-07 10:25 EST (History)
40 users (show)

See Also:
Fixed In Version: mysql 5.5.52, mysql 5.6.33, mysql 5.7.15, mariadb 5.5.52, mariadb 10.1.18, mariadb 10.0.28
Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2016-09-23 10:35:00 EDT
Dawid Golunski, reporter of CVE-2016-6662 (bug 1375198), mentioned existence of a privilege escalation vulnerability which should allow a non-privileged database user without FILE permissions to escalate their privileges to database or system administrator.  Quoting from the advisory for CVE-2016-6662:

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt

  It could also be combined with CVE-2016-6663 vulnerability which will be released
  shortly and could allow certain attackers to escalate their privileges to root 
  even without FILE privilege.

No further details are available at the moment.
Comment 3 Tomas Hoger 2016-10-25 03:57:12 EDT
This issue is now listed as fixed in MariaDB versions 5.5.52 and 10.1.18:

https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/

According to MariaDB upstream, the CVE is for race condition issue fixed in this commit:

https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805

Corresponding MySQL commit is:

https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291

and it was applied in MySQL versions 5.5.52, 5.6.33, and 5.7.15.
Comment 4 Tomas Hoger 2016-10-25 04:00:03 EDT
We also believe that Oracle decided to assign a duplicate CVE id for this issue - CVE-2016-5616 tracked via bug 1386562.

Also see bug 1386562 comment 4 for information on how this issue is mitigated by the default configuration of MySQL/MariaDB packages as shipped in Red Hat products.
Comment 6 errata-xmlrpc 2016-10-31 18:24:05 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2131 https://rhn.redhat.com/errata/RHSA-2016-2131.html
Comment 7 Andrej Nemec 2016-11-02 04:57:22 EDT
References:

http://seclists.org/fulldisclosure/2016/Nov/4
Comment 10 errata-xmlrpc 2016-11-03 16:51:28 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2595 https://rhn.redhat.com/errata/RHSA-2016-2595.html
Comment 11 Tomas Hoger 2016-11-03 17:45:54 EDT
(In reply to Tomas Hoger from comment #4)
> We also believe that Oracle decided to assign a duplicate CVE id for this
> issue - CVE-2016-5616 tracked via bug 1386562.

The original flaw reporter has now also confirmed that the CVE-2016-5616 is a duplicate id for the issue that originally got CVE-2016-6663.  His advisory also notes that the setting of symbolic-links = 0 (which is used by default in all MySQL and MariaDB packages for Red Hat Enterprise Linux 6 and later) mitigates this issue.

External References:

https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt
Comment 12 Tomas Hoger 2016-11-03 17:49:48 EDT
*** Bug 1386562 has been marked as a duplicate of this bug. ***
Comment 13 Tomas Hoger 2016-11-03 17:54:24 EDT
(In reply to Tomas Hoger from comment #4)
> Also see bug 1386562 comment 4 for information on how this issue is
> mitigated by the default configuration of MySQL/MariaDB packages as shipped
> in Red Hat products.

Copying the whole text of bug 1386562 comment 4 here, as bug 1386562 was closed as duplicate of this bug.

--

The only change in MyISAM sub-component of MySQL in the listed versions is:

https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291

To exploit this flaw, attacker needs to have a local shell access on the server running MySQL server, and have write access to the data directory used to store database files.  The data directory is normally only writeable to the mysql system user, who has full control over database files anyway.

However, MyISAM engine allows users creating database tables to specify location where data files are stored using DATA DIRECTORY and INDEX DIRECTORY clauses for CREATE TABLE.  That way, database files can be stored in any directory writeable to a local user.

The DATA DIRECTORY and INDEX DIRECTORY clause is only applied when mysqld is running with symlink support enabled.  The symlinks support is controlled via symbolic-links configuration directive and --symbolic-links / --skip-symbolic-links command line options.  The default configuration of all MySQL and MariaDB packages on Red Hat Enterprise Linux 6 and later is to disable symlink support - symbolic-links=0 setting is used in the default my.cnf.  With this setting, only mysql system user should be able to exploit this flaw.

The mysql packages on Red Hat Enterprise Linux 5 have symlink support enabled by default, however, Red Hat has been recommending disabling symlink support since 2010:

https://rhn.redhat.com/errata/RHSA-2010-0109.html
Comment 23 errata-xmlrpc 2016-11-15 06:30:51 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2749 https://rhn.redhat.com/errata/RHSA-2016-2749.html
Comment 27 errata-xmlrpc 2016-12-08 11:06:46 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2928 https://rhn.redhat.com/errata/RHSA-2016-2928.html
Comment 28 errata-xmlrpc 2016-12-08 11:12:51 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2927 https://rhn.redhat.com/errata/RHSA-2016-2927.html
Comment 29 errata-xmlrpc 2017-01-24 06:46:20 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0184 https://rhn.redhat.com/errata/RHSA-2017-0184.html

Note You need to log in before you can comment on or make changes to this bug.