January 18, 2017

Security Vulnerability CVE-2016-6664 / CVE-2016-5617

During the fall there were a couple of vulnerabilities found that could be used for privilege escalations in conjunction with race conditions. These were:

  • CVE-2016-6662 MySQL Remote Root Code Execution / Privilege Escalation 0day

  • CVE-2016-6663 Privilege Escalation / Race Condition (also referred to as CVE-2016-5616)

  • CVE-2016-6664 Root Privilege Escalation (also referred to as CVE-2016-5617)

I’ve published two blog posts about these vulnerabilities before:

CVE-2016-6662 and CVE-2016-6663 have been fixed during the fall and versions of MariaDB has been released containing the fixes. As stated in the latter blog post the root privilege escalation vulnerability CVE-2016-6664 was not exploitable by itself. It will need to obtain shell access first through some other vulnerability. But a final fix was still needed to completely shut the door for this last related vulnerability.

The CVE-2016-6664 vulnerability makes use of a weak point in the way the mysqld_safe script handled the creation of the error log file, through which root privileges could be obtained.

Oracle made an attempt to fix this already in November, but the fix was unfortunately half-baked and made the vulnerability slightly less exploitable, but didn’t completely get rid of it. This and other issues in the mysqld_safe script were pointed out by Red Hat’s Security Team. Oracle has since then opened CVE-2017-3312 for the missing pieces of CVE-2016-6664 and fixed them.

In MariaDB Server, we’ve now implemented our own fix for the vulnerability, which we believe completely removes the possibility to make use of it.

CVE-2016-6664 is fixed as of the following versions of MariaDB Server:

Please upgrade to these versions (or newer) to be protected against CVE-2016-6664. The latest versions can be download here.

- - -

In addition to CVE-2016-6664, fixes for the following CVEs affecting MySQL, mentioned in Oracle’s Critical Patch Update Advisory - January 2017 are included in the versions 5.5.54, 10.0.29 and 10.1.21 of MariaDB:

About Rasmus Johansson

Rasmus has worked for MariaDB since 2010 and was appointed VP Engineering in 2013. He is responsible for the architecting and development of MariaDB Server and MariaDB Cluster.

Read all posts by Rasmus Johansson