A critical vulnerability has been discovered that lets attackers gain root access through compromised MySQL-based database systems. It affects MySQL, MariaDB and PerconaDB which are all immensely popular with organisations big and small. Here’s what you need to know about this privilege escalation bug.
The vulnerability lets attackers who have already gained access to a MySQL-based system to further escalate their privileges to root and completely take over a machine. This is done by exploiting unsafe handling of the error log file in MySQL databases, making it vulnerable to a symbolic link (symlink) attack.
It’s a complex exploit but to put it simply, it can allow attackers to gain ownership of a system file of their choice, then replace it with malicious code, before running this code to escalate their privileges. Security research firm Legal Hackers was the first to disclose this bug and has detailed a proof-of-concept exploit in the advisory it released for the vulnerability.
The exploit requires that file-based logging has been configured, which is done by default. Those who have syslog set up for their MySQL instances are unaffected, according to the advisory. For system administrators who want to check whether syslog has been enabled, you can use the following command:
grep -r syslog /etc/mysql | wc -l
If the default file-based logging configuration is still enabled (i.e. vulnerable), this command would return ‘0’.
You can head over to the advisory put out by Legal Hackers for more information about this critical vulnerability.
You may have noticed Lifehacker Australia looks different. We’re keen to hear your thoughts on the redesign. Share your feedback here!