November 2, 2016

Update on Security Vulnerabilities CVE-2016-6663 and CVE-2016-6664 Related to MariaDB Server

The details about two vulnerabilities affecting MariaDB (and MySQL) have been published. The two vulnerabilities are:

  • CVE-2016-6663, Privilege Escalation / Race Condition (also referred to as CVE-2016-5616)
  • CVE-2016-6664, Root Privilege Escalation (also referred to as CVE-2016-5617)

These vulnerabilities are follow-ups on CVE-2016-6662, which we addressed in a blog post in September, which was about Remote Root Code Execution.

CVE-2016-6663 makes use of a race condition when performing REPAIR TABLE on a MyISAM table. There were unsafe system calls performed by the REPAIR TABLE statement where it could be possible to intervene with commands resulting in permission changes on directories and files. This could then be used to obtain a shell with the rights of the user running MariaDB Server.

CVE-2016-6663 is fixed as of the following versions of MariaDB Server:

  • MariaDB Server 10.1.18, released on September 30
  • MariaDB Server 10.0.28, released on October 28
  • MariaDB Server 5.5.52, released on September 13

Please upgrade to these versions (or newer) to be protected against CVE-2016-6663. The latest versions can be downloaded here.

Using a shell obtained through CVE-2016-6663, one can further exploit CVE-2016-6664 to gain root user access.

It’s important to note that CVE-2016-6664 is NOT exploitable by itself. Shell access must first be obtained through a vulnerability like CVE-2016-6663. Because CVE-2016-6663 has been fixed and is no longer exploitable, we’ve determined that CVE-2016-6664 is not critical on it’s own and doesn’t warrant an immediate fix to be released. A fix will be included in the next upcoming maintenance releases of MariaDB Server 5.5, 10.0 and 10.1.

For the complete reports on the vulnerabilities, please refer to the advisories on legalhackers.com by Dawid Golunski who discovered these vulnerabilities.

About Rasmus Johansson

Rasmus has worked with MariaDB since 2010 and was appointed VP Engineering in 2013. As such, he takes overall responsibility for the architecting and development of MariaDB Server, MariaDB Galera Cluster and MariaDB Enterprise.

Read all posts by Rasmus Johansson