MySQL

Here’s an overview of some of last week’s most interesting news and articles:

Five ways to respond to the ransomware threat
While organizations wrestle with the ever-pressing issue of whether to pay or not to pay if they’re victimized, Logicalis US suggests CXOs focus first on how to protect, thwart and recover from a potential attack.

MySQL 0-day could lead to total system compromise
Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona). One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted.

Organization must modify the network access policy to address IoT devices
By 2020, 21 billion of Internet of Things (IoT) devices will be in use worldwide. Of these, close to 6 percent will be in use for industrial IoT applications.

US 911 emergency system can be crippled by a mobile botnet
What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev’s Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country.

Microsoft ends Tuesday patches
In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install.

Artificial intelligence in cybersecurity: Snake oil or salvation?
Machine learning is the science of enabling computers to learn and take action without being explicitly programmed. What has this to do with information security? Currently, not that much. But this is set to change.

DDoS and web application attacks keep escalating
Akamai Technologies released its Second Quarter, 2016 State of the Internet / Security Report, which highlights the cloud security landscape, specifically trends with DDoS and web application attacks, as well as malicious traffic from bots.

DDoS downtime calculator based on real-world information
Are you wondering how you can assess the risks associated with a DDoS attack? Incapsula’s free DDoS Downtime Calculator offers case-specific information adjusted to the realities of your organization.

ICS-CERT warns of remotely exploitable power meter flaws
Two remotely exploitable vulnerabilities, one of which can lead to remote code execution, have been found in Schneider Electric’s ION Power Meter products and FENIKS PRO Elnet Energy Meters.

Improve SecOps by making collaboration easier
Ensuring smooth collaboration and sharing between SOC analysts, incident responders, and endpoint and network administrators has its challenges.

Bogus Pokémon GO guide app roots Android devices
The popularity of Pokémon GO is apparently on the wane, but there are still more than enough players to make it a good lure for cyber crooks. In fact, fake apps like the “Guide For Pokémon Go New” recently spotted on Google Play can end up being downloaded by as many as half a million users.

What proposed Rule 41 changes mean for your privacy
Last week, US Senator Ron Wyden took the floor of the Senate to explain why his (and his colleagues’) Stopping Mass Hacking Act should be voted in.

Android apps based on Adobe AIR SDK send out unencrypted data
Developers using the Adobe AIR SDK should update to the latest version of the software development kit and rebuild the apps as soon as possible if they don’t want their users’ traffic being exposed to attackers.

Hack a Nexus from afar, get $ 200,000
Google has issued a challenge to bug hunters around the world: find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address, and you’ll be handsomely rewarded.

Cyberattacks cost SMBs an average of $ 86,500
On average, a single cybersecurity incident now costs large businesses a total of $ 861,000. Meanwhile, SMBs pay an average of $ 86,500.

6.6 million ClixSense users exposed in wake of site, company hack
If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.

IoT Village uncovers 47 security vulnerabilities across 23 devices
New dangers in both home security and municipal power facilities were revealed as the results of the 2nd Annual IoT Village, held at DEF CON 24 in Las Vegas. More than 47 new vulnerabilities were discovered across 23 different devices from 21 brand name manufacturers.

Ransomware usage explodes, as app, browser and plug-in vulnerabilities increase
Bromium conducted research on cyber attacks and threats affecting enterprise security over the last six months. The good news is while the number of vulnerabilities is steadily increasing, not all exploitable vulnerabilities are actually exploited. The bad news is, criminals are working harder to get protected data.

Stingray use lacks transparency and meaningful oversight
Cell-site simulators – aka Stingrays, aka IMSI catchers – are widely used by US law enforcement, usually without a warrant that such type of surveillance should require.

PCI Council wants more robust security controls for payment devices
The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

Consumers harassed by 30 million spam calls every day
Consumers are giving up twice as much sensitive data over the previous year.


Help Net Security

A security researcher this week disclosed a zero-day MySQL vulnerability that could allow attackers to gain complete control of servers, though questions remain about whether or not the flaw had already been addressed by Oracle. 

Dawid Golunski, the researcher who posted the advisory, reported the MySQL vulnerabilities on July 29 to Oracle, as well as to open source database vendors Percona and MariaDB, both of which were vulnerable to the same flaws as they are both MySQL forks. Golunski said both Percona and MariaDB had responded promptly and issued patches by the end of August, but, having heard nothing from Oracle, Golunski decided to go public with the first of the MySQL vulnerabilities he uncovered.

"As over 40 days have passed since reporting the issues and patches were already mentioned publicly," Golunski wrote, "a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor's next CPU update that only happens at the end of October."

The flaws would allow an attacker to abuse MySQL logging functions on improperly configured systems. Golunski's proof of concept attack starts by injecting malicious configuration data into MySQL configuration files with improper permissions. The next step is to create new configuration files, after which attackers would be able to escalate their MySQL privileges.

Oracle declined to comment on  Golunski's MySQL vulnerability report. It's possible that Oracle addressed some of the issues in the report prior to Golunski's disclosure. The MySQL patches were released on Sept. 6, for MySQL 5.7, 5.6 and 5.5, all of which appear to address some of the flaws Golunski submitted under CVE-2016-6662.

"MySQL seems to have already released versions that include the security fixes [with MySQL 5.6.33]," Percona stated on its blog. None of the experts SearchSecurity spoke with could verify whether the Oracle patches released on Sept. 6 addressed the vulnerability, and Oracle has not released an official patch or security advisory that clarifies the situation.

How serious is it?

The advisory, wrote Golunski, describes a critical vulnerability assigned to CVE-2016-6662, "which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences."

If you aren't comfortable with quarterly patching, vote with your wallet. Jacob Williamsfounder, Rendition InfoSec LLC

MySQL servers using the default configuration in all version branches, including the latest versions, were found to be vulnerable, "and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL injection could be used as exploitation vectors."

Experts were split on just how serious the MySQL vulnerability was. "It's serious, but it's not an unauthenticated vulnerability," said Jacob Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga. "Attackers need to have some way to issue queries to the server to make this exploitable. This might happen through shared access to a server or through another vulnerability such as SQL injection. The problem is that very low-privileged users can access unintended -- and known dangerous -- functionality that was not intended. This causes significant problems in shared hosting environments where multiple users are given access to a single MySQL database instance and their permissions are controlled by the database administrator."

However, Dmitry Chastukhin, lead SAP security analyst at ERPscan, suggested that the advisory's title may have overstated the "Remote Root Code Execution" aspect of the flaw. "In reality it is a privilege escalation vulnerability, which allows an attacker to escalate his or her rights -- in some cases -- on a server and gain root user privileges, if she or he can change the my.cnf configuration file. How to do it -- remotely and anonymously -- is a different matter. It requires other security issues in applications and weak configuration permissions on the server."

The attacker only needs to acquire some level of write permission in the filesystem to exploit this type of vulnerability, according to Mordechai Guri, chief science officer at Morphisec. Guri told SearchSecurity, "This is considered to be an easy task on the attacker's part. It's important to note that these semi-logic vulnerabilities won't go away and are proof that new approaches like moving target defense should be developed and deployed in many strata of the computer security stack, including operating systems, SQL language, et cetera."

What to do about it?

Williams had some specific suggestions for enterprises concerned about the MySQL vulnerability, starting with controlling access to the database itself. Since any user with SELECT permissions can access the administrative logging functions exploited in the vulnerability, "the configuration files which are normally owned by the MySQL user should be changed so they are owned by another user, such as root, and not writeable by the MySQL user."

"Finally, MySQL reads additional configuration data from my.cnf files," Williams noted. "One location it may read these from, /var/lib/mysql, must continue to have write permissions enabled for the MySQL server. To prevent attackers from writing a my.cnf file in this location as MySQL users, we are advising administrators to write my.cnf files owned by root in any directory where the MySQL user has write permissions."

"In all but extraordinary cases, MySQL should never be exposed to the open internet," said John Bambenek, manager of threat systems at Fidelis Cybersecurity in Waltham, Mass. "Ideally, a database server would behind a firewall in a standard three-tier design."

Oracle takes heat for its response

"Sometimes vulnerabilities can be complicated to patch and that could be delaying release," Bambenek said. "However, open communication with the researchers should be routine so that such issues are known. That said, considering other database platforms (PerconaDB and MariaDB) were able to patch, it calls into question whether complexity is really the issue for Oracle here. More importantly, Oracle should have developed some mitigation or something to protect enterprises in the meantime."

"Oracle's response to vulnerabilities involving open source projects must be more vigilant than those involving only closed source," Williams said. "Anyone can fork an open source project and they are likely to be notified as well when vulnerabilities are reported. If the open source project patches first, then Oracle's customers are exposed. I think it's clear that quarterly patching cycles are no longer sufficient in today's vulnerability research climate."

As for the takeaway for enterprises, Williams added, "If you aren't comfortable with quarterly patching, vote with your wallet. There are other database solutions out there and seeing Oracle hold to a quarterly patching schedule when open source forks have already patched is very troubling. Changing database engines is very expensive for an enterprise. If this behavior from Oracle continues, I'd definitely recommend examining your options."

"The fact that two other open source projects patched the same vulnerability before Oracle says a lot about their responsiveness," Williams said. "These are obviously serious vulnerabilities and because they are present in other projects, Oracle doesn't get to control the patch release timeline."

"In my opinion, this case is a good illustration of poor interaction between Oracle PR and tech departments," Chastukhin said. "They could have responded to Golunski's report in due time and publicly announced that the vulnerability was not as dangerous as the researcher stated and the patch was already released. In this turn of events, Oracle could have become the winner of the situation."

"What do we have now? A pile of articles with harsh criticism and frustration of system administrators."

This is not the end of the story, though. Golunski noted that "attackers could use one of the other vulnerabilities discovered by the author of this advisory, which has been assigned a CVEID of CVE-2016-6663 and is pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement."

Next Steps

Find out more about mitigating MySQL vulnerabilities.

Learn about what happened to the open source database market after Oracle purchased MySQL.

Read more about how to spot security flaws in open source web applications.


SearchSecurity: Security Wire Daily News

USN-3078-1: MySQL vulnerability | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

Vulnerable: Oracle Mysql 5.7.15
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.6.33
Oracle Mysql 5.6.30
Oracle Mysql 5.6.28
Oracle Mysql 5.6.27
Oracle Mysql 5.6.26
Oracle Mysql 5.6.25
Oracle Mysql 5.6.24
Oracle Mysql 5.6.23
Oracle Mysql 5.6.22
Oracle Mysql 5.6.21
Oracle Mysql 5.6.17
Oracle Mysql 5.6.12
Oracle Mysql 5.6.11
Oracle Mysql 5.6.10
Oracle Mysql 5.6.9
Oracle Mysql 5.6.6
Oracle Mysql 5.6.5
Oracle Mysql 5.6
Oracle Mysql 5.5.52
Oracle Mysql 5.5.49
Oracle Mysql 5.5.46
Oracle Mysql 5.5.45
Oracle Mysql 5.5.44
Oracle Mysql 5.5.43
Oracle Mysql 5.5.42
Oracle Mysql 5.5.41
Oracle Mysql 5.5.40
Oracle Mysql 5.5.39
Oracle Mysql 5.5.38
Oracle Mysql 5.5.37
Oracle Mysql 5.5.36
Oracle Mysql 5.5.35
Oracle Mysql 5.5.32
Oracle Mysql 5.5.31
Oracle Mysql 5.5.28
Oracle Mysql 5.5.27
Oracle Mysql 5.5.25
Oracle Mysql 5.5.24
Oracle Mysql 5.5.23
Oracle Mysql 5.5.22
Oracle Mysql 5.5.21
Oracle Mysql 5.5.20
Oracle Mysql 5.5.19
Oracle Mysql 5.5.18
Oracle Mysql 5.5.17
Oracle Mysql 5.5.16
Oracle Mysql 5.5.15
Oracle Mysql 5.5.14
Oracle Mysql 5.5.13
Oracle Mysql 5.5.12
Oracle Mysql 5.5.11
Oracle Mysql 5.5.10
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.6.8
Oracle Mysql 5.6.7
Oracle Mysql 5.6.4
Oracle Mysql 5.6.29
Oracle Mysql 5.6.20
Oracle Mysql 5.6.2
Oracle Mysql 5.6.19
Oracle Mysql 5.6.18
Oracle Mysql 5.6.16
Oracle Mysql 5.6.15
Oracle Mysql 5.6.14
Oracle Mysql 5.6.13
Oracle Mysql 5.5.48
Oracle Mysql 5.5.47
Oracle Mysql 5.5.34
Oracle Mysql 5.5.33
Oracle Mysql 5.5.30
Oracle Mysql 5.5.29
Oracle Mysql 5.5.26


SecurityFocus Vulnerabilities

Vulnerable: Oracle Mysql 5.7.15
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.5.52
Oracle Mysql 5.5.49
Oracle Mysql 5.5.46
Oracle Mysql 5.5.45
Oracle Mysql 5.5.44
Oracle Mysql 5.5.43
Oracle Mysql 5.5.42
Oracle Mysql 5.5.41
Oracle Mysql 5.5.40
Oracle Mysql 5.5.39
Oracle Mysql 5.5.38
Oracle Mysql 5.5.37
Oracle Mysql 5.5.36
Oracle Mysql 5.5.35
Oracle Mysql 5.5.32
Oracle Mysql 5.5.31
Oracle Mysql 5.5.28
Oracle Mysql 5.5.27
Oracle Mysql 5.5.25
Oracle Mysql 5.5.24
Oracle Mysql 5.5.23
Oracle Mysql 5.5.22
Oracle Mysql 5.5.21
Oracle Mysql 5.5.20
Oracle Mysql 5.5.19
Oracle Mysql 5.5.18
Oracle Mysql 5.5.17
Oracle Mysql 5.5.16
Oracle Mysql 5.5.15
Oracle Mysql 5.5.14
Oracle Mysql 5.5.13
Oracle Mysql 5.5.12
Oracle Mysql 5.5.11
Oracle Mysql 5.5.10
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.5.48
Oracle Mysql 5.5.47
Oracle Mysql 5.5.34
Oracle Mysql 5.5.33
Oracle Mysql 5.5.30
Oracle Mysql 5.5.29
Oracle Mysql 5.5.26


SecurityFocus Vulnerabilities

A zero-day exploit could be used to hack MySQL servers. Credit: Gerd Altmann / Pixabay

A publicly disclosed vulnerability in the MySQL database could allow attackers to completely compromise some servers.

The vulnerability affects "all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions," as well as the MySQL-derived databases MariaDB and Percona DB, according to Dawid Golunski, the researcher who found it.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The flaw, tracked as CVE-2016-6662, can be exploited to modify the MySQL configuration file (my.cnf) and cause an attacker-controlled library to be executed with root privileges if the MySQL process is started with the mysqld_safe wrapper script.

The exploit can be executed if the attacker has an authenticated connection to the MySQL service, which is common in shared hosting environments, or through an SQL injection flaw, a common type of vulnerability in websites.

Golunski reported the vulnerability to the developers of all three affected database servers, but only MariaDB and Percona DB received patches so far. Oracle, which develops MySQL, was informed on Jul. 29, according to the researcher, but has yet to fix the flaw.

Oracle releases security updates based on a quarterly schedule and the next one is expected in October. However, since the MariaDB and Percona patches are public since the end of August, the researcher decided to release details about the vulnerability Monday so that MySQL admins can take actions to protect their servers.

Golunski's advisory contains a limited proof-of-concept exploit, but some parts have been intentionally left out to prevent widespread abuse. The researcher also reported a second vulnerability to Oracle, CVE-2016-6663, that could further simplify the attack, but he hasn't published details about it yet.

The disclosure of CVE-2016-6662 was met with some criticism on specialized discussion forums, where some users argued that it's actually a privilege escalation vulnerability and not a remote code execution one as described, because an attacker would need some level of access to the database.

"As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use," Golunski said in his advisory. "These are by no means a complete solution and users should apply official vendor patches as soon as they become available."

Oracle didn't immediately respond to a request for comments on the vulnerability.

A security researcher has decided to disclose a critical zero-day vulnerability in the MySQL open-source database software after Oracle failed to release a patch in more than 40 days after being informed of its existence.

Researcher Dawid Golunski reported finding several serious issues in MySQL, including a flaw that can be exploited by remote attackers to inject malicious settings into my.cnf configuration files. The weakness can be leveraged for arbitrary code execution with root privileges, which can lead to the server running MySQL getting completely compromised.

The vulnerability, tracked as CVE-2016-6662, can be exploited by an attacker who can authenticate to the MySQL database via a network connection or a web interface such as phpMyAdmin, and through a SQL injection attack without requiring a direct connection.

Another, undisclosed MySQL vulnerability found by the researcher, identified as CVE-2016-6663, makes this zero-day easy to exploit even by low-privileged attackers.

According to Golunski, the attack works against the default configuration of all MySQL branches, including 5.5, 5.6 and 5.7. Exploitation is possible even if Linux security modules such as AppArmor and SELinux are installed.

The vulnerability also affects MariaDB and PerconaDB, but the developers of these database systems addressed the issue in late August. Oracle was notified about the bug in July 29, but it has yet to release a patch.

Golunski has decided to disclose the vulnerability because the patches released by PerconaDB and MariaDB developers were made available in public repositories, potentially allowing malicious actors to start exploiting the weakness.

The researcher has also published some proof-of-concept (PoC) code. Until Oracle releases patches, he has advised users to apply some temporary workarounds.

“As temporary mitigations, users should ensure that no MySQL config files are owned by MySQL users, and create root-owned dummy my.cnf files that are not in use,” the expert wrote in his advisory. “These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”

Oracle’s next Critical Patch Update (CPU) is scheduled for October 18. SecurityWeek has reached out to the company for clarifications and will update this article if representatives respond.

Related Reading: New Security Features Added to MariaDB Enterprise

Related Reading: MySQL SSL/TLS Connections at Risk Due to BACKRONYM Flaw

Related Reading: Researchers Find 1PB of Data Exposed by Misconfigured Databases

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona).

CVE-2016-6662

One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted. This could lead to total compromise of the server running the vulnerable MySQL version.

“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,” Golunski has explained in an advisory published on Monday.

“Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”

So far, Oracle – who acquired the software company that developed MySQL in 2010 – has yet to push out a fix for this and other issues. Golunski reported them to Oracle and the vendors of other affected forks in late July, and Percona and MariaDB vendors have already pushed out new releases that plugged CVE-2016-6662.

As these new releases were accompanied by details about the vulnerability, and Oracle’s next Critical Patch Update is scheduled for 18 October 2016, Golunski has decided to start disclosing the vulnerabilities he found, so that users can do everything in their power to minimize risk of exploitation until patches are made available.

The advisory also contains a limited PoC exploit. A full exploit and details about CVE-2016-6663, the flaw that allows low-privileged attackers to effect the same attack, will be published soon.

“As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,” Golunski advised, but stressed that applying official vendor patches as soon as they become available will be the ultimate solution for this issue.


Help Net Security

USN-3040-1: MySQL vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices