MySQL two critical zero-day vulnerabilities CVE-2016-6662 and CVE-2016-6663

Created:

2016-11-16 13:06:47 UTC

Modified:

2017-06-27 03:59:58 UTC

0

Was this article helpful?


Have more questions?

Submit a request

MySQL two critical zero-day vulnerabilities CVE-2016-6662 and CVE-2016-6663

Applicable to:

  • Plesk

Overview

On September 12th, 2016 two critical zero-day vulnerabilities have been discovered in the world's 2nd most popular database management software MySQL that could allow an attacker to take full control over the database. These vulnerabilities got CVE-2016-6662 and CVE-2016-6663 assigned.

CVE-2016-6662 requires FILE and SUPER privileges granted to remote MySQL user for the sucessfull exploit, while CVE-2016-6663 has no public disclosure at this moment.

Plesk offers MySQL 5.5 packaged for CentOS 5, RHEL 5 and CloudLinux 5 operation system packaged by Plesk team as the optional installation. Also on Windows platform Plesk installs MySQL binaries: MySQL 5.5 for Plesk data and MySQL 5.6 (Plesk 12.5) or MySQL 5.1 (Plesk 12.0) for customers' bases.

These packages are not affected by CVE-2016-6662 because Plesk creates MySQL users with the proper privileges, however CVE-2016-6663 potentially might have an effect.

In all other cases the system MySQL server is being used and corresponding actions should be performed by system administrator.

Resolution

  1. For Plesk on Windows or on CentOS 5, RHEL 5 or CloudLinux 5 platforms apply the latest updates:
    • Plesk 12.5.30: MU#47
    • Plesk 12.0.18: MU#91
    • Plesk 11.5.30: MU#55

          IMPORTANT: For customers' MySQL 5.1 on Plesk 12.0 update will not be released. Please consider one of possible options:
      > a) to Upgrade Plesk to 12.5 switching to MySQL 5.6

      > b) to Migrate data to Plesk 12.5 server

      > c) to upgrade MySQL server manually following the article

      > d) to use mitigation workaround from pont **4.** below
  2. The community has already prepared required patches:

    • MariaDB expected to be fixed in the versions 5.5.51, 10.0.27, 10.1.17

    • MySQL expected to be fixed in the versions 5.5.52, 5.6.33, and 5.7.15

  3. Please track corresponding bugs in the vendor's system and install updates once released:

  4. For now to mitigate possible securty treats:

    a. Verify that you have no MySQL users with FILE or SUPER privileges:

    root@plesk:~# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin mysql -e "SELECT User, Host FROM user WHERE User NOT IN ('admin', 'root') AND (File_priv='Y' or Super_priv='Y')"

    b. Use the researcher's advice to protect my.cnf files - to ensure that no MySQL config files are owned by the mysql user and create root-owned dummy my.cnf files that are not in use. Although MySQL has no strictly defined location for its configuratoin file, in most cases it is either "/etc/my.cnf" (RedHat/CentOS/CloudLinux) or "/etc/mysql/my.cnf" (Debian/Ubuntu).

    • RedHat/CentOS/CloudLinux

      Check permissions on default config (should be root:root):

      root@plesk:~# ls -l /etc/my.cnf
      root@plesk:~# chown root:root /etc/my.cnf
      root@plesk:~# chmod 0644 /etc/my.cnf

      Create empty files in the other possible locations:

      root@plesk:~# mkdir /etc/mysql
      root@plesk:~# touch /etc/mysql/my.cnf
      root@plesk:~# touch /var/lib/mysql/my.cnf
      root@plesk:~# touch /var/lib/mysql/.my.cnf
    • Debian/Ubuntu

      Check permissions on default config (should be root:root):

      root@plesk:~# ls -l /etc/mysql/my.cnf
      root@plesk:~# chown root:root /etc/mysql/my.cnf
      root@plesk:~# chmod 0644 /etc/mysql/my.cnf

      Create empty files in the other possible locations:

      root@plesk:~# touch /etc/my.cnf
      root@plesk:~# touch /var/lib/mysql/my.cnf
      root@plesk:~# touch /var/lib/mysql/.my.cnf
    • MySQL 5.1 on Plesk 12.0 for Windows

      Use attached script to protect existing MySQL configuration files from writing. Or you can create empty write-protected my.cnf and my.ini files in the default locations manually:

      %PROGRAMDATA%\\MySQL\\MySQL Server 5.1\\my.ini 
      %PROGRAMDATA%\\MySQL\\MySQL Server 5.1\\my.cnf
      %WINDIR%\\my.ini
      %WINDIR%\\my.cnf
      C:\\my.ini
      C:\\my.cnf
      BASEDIR\\my.ini
      BASEDIR\\my.cnf

Note: BASEDIR represents the path name of the MySQL base directory.

Attachments:

Have more questions? Submit a request
Please sign in to leave a comment.