ID CVE-2016-6664
Summary mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
References
Vulnerable Configurations
  • cpe:2.3:a:mariadb:mariadb
    cpe:2.3:a:mariadb:mariadb
  • Percona XtraDB Cluster 5.5
    cpe:2.3:a:percona:xtradb_cluster:5.5
  • Percona XtraDB Cluster 5.5.27-23.6
    cpe:2.3:a:percona:xtradb_cluster:5.5.27-23.6
  • Percona XtraDB Cluster 5.5.29-23.7.1
    cpe:2.3:a:percona:xtradb_cluster:5.5.29-23.7.1
  • Percona XtraDB Cluster 5.5.29-23.7.2
    cpe:2.3:a:percona:xtradb_cluster:5.5.29-23.7.2
  • Percona XtraDB Cluster 5.5.30-23.7.4
    cpe:2.3:a:percona:xtradb_cluster:5.5.30-23.7.4
  • Percona XtraDB Cluster 5.5.31-23.7.5
    cpe:2.3:a:percona:xtradb_cluster:5.5.31-23.7.5
  • Percona XtraDB Cluster 5.5.34-25.9
    cpe:2.3:a:percona:xtradb_cluster:5.5.34-25.9
  • Percona XtraDB Cluster 5.5.37-25.10
    cpe:2.3:a:percona:xtradb_cluster:5.5.37-25.10
  • Percona XtraDB Cluster 5.5.39-25.11
    cpe:2.3:a:percona:xtradb_cluster:5.5.39-25.11
  • Percona XtraDB Cluster 5.6
    cpe:2.3:a:percona:xtradb_cluster:5.6
  • Percona XtraDB Cluster 5.6.14-25.1
    cpe:2.3:a:percona:xtradb_cluster:5.6.14-25.1
  • Percona XtraDB Cluster 5.6.15-25.2
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.2
  • Percona XtraDB Cluster 5.6.15-25.3
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.3
  • Percona XtraDB Cluster 5.6.15-25.4
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.4
  • Percona XtraDB Cluster 5.6.15-25.5
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.5
  • Percona XtraDB Cluster 5.6.19-25.6
    cpe:2.3:a:percona:xtradb_cluster:5.6.19-25.6
  • Percona XtraDB Cluster 5.6.20-25.7
    cpe:2.3:a:percona:xtradb_cluster:5.6.20-25.7
  • Percona XtraDB Cluster 5.6.21-25.8
    cpe:2.3:a:percona:xtradb_cluster:5.6.21-25.8
  • Percona XtraDB Cluster 5.6.22-25.8
    cpe:2.3:a:percona:xtradb_cluster:5.6.22-25.8
  • Percona XtraDB Cluster 5.6.24-25.11
    cpe:2.3:a:percona:xtradb_cluster:5.6.24-25.11
  • Percona XtraDB Cluster 5.6.25-25.12
    cpe:2.3:a:percona:xtradb_cluster:5.6.25-25.12
  • Percona XtraDB Cluster 5.6.26-25.12
    cpe:2.3:a:percona:xtradb_cluster:5.6.26-25.12
  • Percona XtraDB Cluster 5.6.27-25.13
    cpe:2.3:a:percona:xtradb_cluster:5.6.27-25.13
  • Percona XtraDB Cluster 5.6.28-25.14
    cpe:2.3:a:percona:xtradb_cluster:5.6.28-25.14
  • Percona XtraDB Cluster 5.6.29-25.15
    cpe:2.3:a:percona:xtradb_cluster:5.6.29-25.15
  • Percona XtraDB Cluster 5.6.30-25.16
    cpe:2.3:a:percona:xtradb_cluster:5.6.30-25.16
  • Percona XtraDB Cluster 5.6.30-25.16.2
    cpe:2.3:a:percona:xtradb_cluster:5.6.30-25.16.2
  • Percona XtraDB Cluster 5.6.30-25.16.3
    cpe:2.3:a:percona:xtradb_cluster:5.6.30-25.16.3
  • Percona XtraDB Cluster 5.7
    cpe:2.3:a:percona:xtradb_cluster:5.7
  • Percona XtraDB Cluster 5.7.11-4 Beta-25.14.2
    cpe:2.3:a:percona:xtradb_cluster:5.7.11-4:beta-25.14.2
  • Percona XtraDB Cluster 5.7.11-25.14.2 Beta
    cpe:2.3:a:percona:xtradb_cluster:5.7.11-25.14.2:beta
  • Percona XtraDB Cluster 5.7.12-26.16 Release Candidate 1
    cpe:2.3:a:percona:xtradb_cluster:5.7.12-26.16:rc1
CVSS
Base: 6.9 (as of 16-12-2016 - 15:32)
Impact:
Exploitability:
CWE CWE-59
CAPEC
  • Symlink Attack
    An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation. CVE-2016-5617,CVE-2016-6664. Local exploit for Linux platform
file exploits/linux/local/40679.sh
id EDB-ID:40679
last seen 2016-11-02
modified 2016-11-01
platform linux
port
published 2016-11-01
reporter Dawid Golunski
source https://www.exploit-db.com/download/40679/
title MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation
type local
metasploit via4
description [About]( "About Rapid7" ) [For Customers]( "For Rapid7 Customers" ) [Free Tools]( "Free Tools from Rapid7" ) [ ![Rapid7](/db/assets/Rapid7_logo-ec0ec3940fca9dddfbcd754380bb2b50.svg) ]( "Rapid7" ) * [Home]( "Rapid7.com" ) * Vulnerability & Exploit Database # Vulnerability & Exploit Database
id MSF:EXPLOIT/LINUX/LOCAL/MYSQL_PRIV_ESC
last seen 2017-01-23
modified 1970-01-01
published 2016-11-25
references
reliability Good
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/mysql_priv_esc.rb
title CVE-2016-6664 MySQL / MariaDB / Percona - Root Privilege Escalation
nessus via4
  • NASL family Databases
    NASL id MARIADB_10_0_29.NASL
    description The version of MariaDB running on the remote host is 10.0.x prior to 10.0.29. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in scripts/mysqld_safe.sh due to improper handling of arguments to malloc-lib. A local attacker can exploit this, via a symlink attack on error logs, to gain root privileges. (CVE-2016-6664) - A denial of service vulnerability exists in the check_duplicate_key() function due to improper handling of error messages. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the destroy() function in sql/sql_select.cc due to improper handling of a specially crafted query. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the date_add_interval() function in sql/sql_time.cc due to improper handling of INTERVAL arguments. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in sql/item_subselect.cc due to improper handling of queries from the select/unit tree. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the check_well_formed_result() function in sql/item.cc due to improper handling of row validation. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the safe_charset_converter() function in sql/item.cc due to improper handling of a specially crafted subselect query item. An authenticated, remote attacker can exploit this to crash the database.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 96486
    published 2017-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96486
    title MariaDB 10.0.x < 10.0.29 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2192.NASL
    description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933) Security Fix(es) : * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) * A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) * A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102755
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102755
    title CentOS 7 : mariadb (CESA-2017:2192)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170801_MARIADB_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: mariadb (5.5.56). Security Fix(es) : - It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) - A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) - Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) - It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) - Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) - A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 102648
    published 2017-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102648
    title Scientific Linux Security Update : mariadb on SL7.x x86_64
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1170.NASL
    description According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) - A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) - Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) - It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) - Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) - A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) - This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 103008
    published 2017-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103008
    title EulerOS 2.0 SP2 : mariadb (EulerOS-SA-2017-1170)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2192.NASL
    description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933) Security Fix(es) : * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) * A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) * A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 102152
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102152
    title RHEL 7 : mariadb (RHSA-2017:2192)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_22373C43D72811E6A9A5B499BAEBFEAF.NASL
    description The MySQL project reports : - CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer' sub component. - CVE-2016-5616, CVE-2016-6663: Race condition allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table. - CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files. - CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub component. - CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub component. - CVE-2016-5629: Remote security vulnerability in 'Server: Federated' sub component. - CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub component.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 96510
    published 2017-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96510
    title FreeBSD : MySQL -- multiple vulnerabilities (22373c43-d728-11e6-a9a5-b499baebfeaf)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1169.NASL
    description According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) - A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) - Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) - It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) - Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) - A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) - This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 103007
    published 2017-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103007
    title EulerOS 2.0 SP1 : mariadb (EulerOS-SA-2017-1169)
  • NASL family Databases
    NASL id MARIADB_5_5_54.NASL
    description The version of MariaDB running on the remote host is 5.5.x prior to 5.5.54. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in scripts/mysqld_safe.sh due to improper handling of arguments to malloc-lib. A local attacker can exploit this, via a symlink attack on error logs, to gain root privileges. (CVE-2016-6664) - A denial of service vulnerability exists in sql/item_subselect.cc due to improper handling of queries from the select/unit tree. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the check_well_formed_result() function in sql/item.cc due to improper handling of row validation. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the parse_filter_rule() function in sql/rpl_filter.cc that is triggered during the clearing of wildcards. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the safe_charset_converter() function in sql/item.cc due to improper handling of a specially crafted subselect query item. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in the st_select_lex::is_merged_child_of() function in sql/sql_lex.cc due to improper handling of merged views or derived tables. An authenticated, remote attacker can exploit this to crash the database. - A denial of service vulnerability exists in sql/item.cc due to improper handling of a specially crafted subquery. An authenticated, remote attacker can exploit this to crash the database.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 96489
    published 2017-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96489
    title MariaDB 5.5.x < 5.5.54 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-257.NASL
    description This mariadb version update to 10.0.29 fixes the following issues : - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878) - CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882) - CVE-2016-6664: Root Privilege Escalation (bsc#1008253) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) - notable changes : - XtraDB updated to 5.6.34-79.1 - TokuDB updated to 5.6.34-79.1 - Innodb updated to 5.6.35 - Performance Schema updated to 5.6.35 Release notes and changelog : - https://kb.askmonty.org/en/mariadb-10029-release-notes - https://kb.askmonty.org/en/mariadb-10029-changelog This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 97277
    published 2017-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97277
    title openSUSE Security Update : mariadb (openSUSE-2017-257)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3770.NASL
    description Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.29. Please see the MariaDB 10.0 Release Notes for further details : - https://mariadb.com/kb/en/mariadb/mariadb-10029-release- notes/
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 96669
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96669
    title Debian DSA-3770-1 : mariadb-10.0 - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0408-1.NASL
    description This mysql version update to 5.5.54 fixes the following issues : - CVE-2017-3318: Unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: Unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3313: Unspecified vulnerability affecting the MyISAM component (bsc#1020890) - CVE-2017-3312: Insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: Unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: Unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: Unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3244: Unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: Unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: Unspecified vulnerability affecting the Optimizer component (bsc#1020882) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) Release Notes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 54.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97046
    published 2017-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97046
    title SUSE SLES11 Security Update : mysql (SUSE-SU-2017:0408-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201702-18.NASL
    description The remote host is affected by the vulnerability described in GLSA-201702-18 (MariaDB: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MariaDB. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly escalate privileges, gain access to critical data or complete access to all MariaDB Server accessible data, or cause a Denial of Service condition via unspecified vectors. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 97261
    published 2017-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97261
    title GLSA-201702-18 : MariaDB: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0412-1.NASL
    description This mariadb version update to 10.0.29 fixes the following issues : - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878) - CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882) - CVE-2016-6664: Root Privilege Escalation (bsc#1008253) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) - notable changes : - XtraDB updated to 5.6.34-79.1 - TokuDB updated to 5.6.34-79.1 - Innodb updated to 5.6.35 - Performance Schema updated to 5.6.35 Release notes and changelog : - https://kb.askmonty.org/en/mariadb-10029-release-notes - https://kb.askmonty.org/en/mariadb-10029-changelog Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97064
    published 2017-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97064
    title SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2017:0412-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-018-01.NASL
    description New mariadb packages are available for Slackware 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-01
    modified 2018-07-26
    plugin id 96612
    published 2017-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96612
    title Slackware 14.1 / 14.2 / current : mariadb (SSA:2017-018-01)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0411-1.NASL
    description This mariadb version update to 10.0.29 fixes the following issues : - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878) - CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882) - CVE-2016-6664: Root Privilege Escalation (bsc#1008253) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) - notable changes : - XtraDB updated to 5.6.34-79.1 - TokuDB updated to 5.6.34-79.1 - Innodb updated to 5.6.35 - Performance Schema updated to 5.6.35 Release notes and changelog : - https://kb.askmonty.org/en/mariadb-10029-release-notes - https://kb.askmonty.org/en/mariadb-10029-changelog Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97063
    published 2017-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97063
    title SUSE SLES12 Security Update : mariadb (SUSE-SU-2017:0411-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2192.NASL
    description From Red Hat Security Advisory 2017:2192 : An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.56). (BZ#1458933) Security Fix(es) : * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600) * A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664) * Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265) * It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291) * Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312) * A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient. (CVE-2017-3302) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 102299
    published 2017-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102299
    title Oracle Linux 7 : mariadb (ELSA-2017-2192)
packetstorm via4
redhat via4
advisories
  • rhsa
    id RHSA-2016:2130
  • rhsa
    id RHSA-2016:2749
  • rhsa
    id RHSA-2017:2192
  • rhsa
    id RHSA-2018:0279
  • rhsa
    id RHSA-2018:0574
rpms
  • mariadb-1:5.5.56-2.el7
  • mariadb-bench-1:5.5.56-2.el7
  • mariadb-devel-1:5.5.56-2.el7
  • mariadb-embedded-1:5.5.56-2.el7
  • mariadb-embedded-devel-1:5.5.56-2.el7
  • mariadb-libs-1:5.5.56-2.el7
  • mariadb-server-1:5.5.56-2.el7
  • mariadb-test-1:5.5.56-2.el7
refmap via4
bid 93612
bugtraq 20161104 MySQL / MariaDB / PerconaDB - Root Privilege Escalation Exploit ( CVE-2016-6664 / CVE-2016-5617 )
confirm
debian DSA-3770
exploit-db 40679
fulldisc 20161101 MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition Exploit [CVE-2016-6663 / OCVE-2016-5616]
gentoo GLSA-201702-18
misc
the hacker news via4
id THN:527125445EE758FC7D6A33333D6500EB
last seen 2018-01-27
modified 2016-11-06
published 2016-11-02
reporter Swati Khandelwal
source https://thehackernews.com/2016/11/mysql-zero-day-exploits.html
title Critical Flaws in MySQL Give Hackers Root Access to Server (Exploits Released)
Last major update 23-12-2016 - 21:59
Published 13-12-2016 - 16:59
Last modified 05-03-2019 - 13:23
Back to Top