Database Security Digest – October 2016
Last month has been relatively calm considering series of big data breaches on previous months.
A hacker named Guccifer 2.0, who is already known for leaking legitimate documents of political organizations, has exposed files of Clinton Foundation. He wrote that it was just the matter of time, as the staff of Clinton Foundation didn’t bother about information security.
Modern Business Systems suffered a breach of 58 user accounts, involving customer names, postal, email and IP addresses, phone numbers. Games developer company Evony Gaming compromised 33 million accounts with usernames, passwords and email addresses.
New MySQL flaws
Two serious privilege escalation vulnerabilities have been found in MySQL and its forks MariaDB, PerconaDB. Developers have already released updates addressing the flaws. CVE-2016-6663 and CVE-2016-6664 (tracked by Oracle as CVE-2016-5616 and CVE-2016-5617 accordingly).
CVE-2016-6663 makes exploitation of CVE-2016-6662 easier. It is a race condition that allows low-privileged users to escalate privileges and execute arbitrary code as a database system user. It can be exploited by attackers who manage to find a vulnerability in a website and gain access to the target system as a low-privileged user. It also can be used in a shared hosting environment where each user can access only one certain database.
According to the expert who detected the flaw, CVE-2016-6663 can be used together with CVE-2016-6662 or CVE-2016-6664 in order to obtain root privileges and compromise the whole targeted system. The exploit is freely available in the public domain, there is even a video showing how it must be done. With this in mind, users of affected platforms should patch as soon as possible.
Vulnerabilities affect Oracle MySQL versions 5.5.51, 5.6.32, 5.7.14 and earlier. October critical patch update fixes both issues. Percona announced that it updated Percona Server to address vulnerabilities above. MariaDB has patched CVE-2016-6663 and left CVE-2016-6664 until upcoming maintenance release, arguing that it is not exploitable by itself.
Oracle Fixes
Oracle announced release of Critical Patch Update on October 18, eliminating 253 vulnerabilities in various platforms. As for Oracle Database Server it has 12 security fixes. One of vulnerabilities can be exploited remotely without requiring user credentials.
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? | Base Score | Attack Vector | Privileges required |
| CVE-2016-5555 | OJVM | Create Session, Create Procedure | Multiple | No | 9.1 | Network | High |
| CVE-2016-5572 | Kernel PDB | Create Session | Oracle Net | No | 6.4 | Local | High |
| CVE-2016-5497 | RDBMS Security | Create Session | Oracle Net | No | 6.4 | Local | High |
| CVE-2010-5312 | Application Express | None | HTTP | Yes | 6.1 | Network | None |
| CVE-2016-5516 | Kernel PDB | Execute on DBMS_PDB_EXEC_SQL | Oracle Net | No | 6.0 | Local | High |
| CVE-2016-5505 | RDBMS Programmable Interface | Create Session | Oracle Net | No | 5.5 | Local | Low |
| CVE-2016-5498 | RDBMS Security | Create Session | Oracle Net | No | 3.3 | Local | Low |
| CVE-2016-5499 | RDBMS Security | Create Session | Oracle Net | No | 3.3 | Local | Low |
| CVE-2016-3562 | RDBMS Security and SQL*Plus | DBA level privileged account | Oracle Net | No | 2.4 | Network | High |
Oracle MySQL
31 security fixes for Oracle MySQL in this update. 2 of them may be remotely exploitable without authentication.
| CVE# | Component | Sub- component | Protocol | Remote Exploit without Auth.? | Base Score | Attack Vector | Privileges required |
| CVE-2016-6304 | MySQL Server | Server: Security: Encryption | MySQL Protocol | Yes | 7.5 | Network | None |
| CVE-2016-6662 | MySQL Server | Server: Logging | None | No | 7.2 | Local | High |
| CVE-2016-5617 | MySQL Server | Server: Error Handling | None | No | 7.0 | Local | Low |
| CVE-2016-5616 | MySQL Server | Server: MyISAM | None | No | 7.0 | Local | Low |
| CVE-2016-5625 | MySQL Server | Server: Packaging | None | No | 7.0 | Local | Low |
| CVE-2016-5609 | MySQL Server | Server: DML | MySQL Protocol | No | 6.5 | Network | Low |
| CVE-2016-5612 | MySQL Server | Server: DML | MySQL Protocol | No | 6.5 | Network | Low |
| CVE-2016-5624 | MySQL Server | Server: DML | MySQL Protocol | No | 6.5 | Network | Low |
| CVE-2016-5626 | MySQL Server | Server: GIS | MySQL Protocol | No | 6.5 | Network | Low |
| CVE-2016-5627 | MySQL Server | Server: InnoDB | MySQL Protocol | No | 6.5 | Network | Low |
| CVE-2016-3492 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 6.5 | Network | Low |
| CVE-2016-5598 | MySQL Connector | Connector/Python | MySQL Protocol | Yes | 5.6 | Network | None |
| CVE-2016-7440 | MySQL Server | Server: Security: Encryption | None | No | 5.1 | Local | None |
| CVE-2016-5628 | MySQL Server | Server: DML | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5629 | MySQL Server | Server: Federated | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-3495 | MySQL Server | Server: InnoDB | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5630 | MySQL Server | Server: InnoDB | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5507 | MySQL Server | Server: InnoDB | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5631 | MySQL Server | Server: Memcached | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5632 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5633 | MySQL Server | Server: Performance Schema | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5634 | MySQL Server | Server: RBR | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-5635 | MySQL Server | Server: Security: Audit | MySQL Protocol | No | 4.9 | Network | High |
| CVE-2016-8289 | MySQL Server | Server: InnoDB | None | No | 4.7 | Local | High |
| CVE-2016-8287 | MySQL Server | Server: Replication | MySQL Protocol | No | 4.5 | Network | High |
| CVE-2016-8290 | MySQL Server | Server: Performance Schema | MySQL Protocol | No | 4.4 | Network | High |
| CVE-2016-5584 | MySQL Server | Server: Security: Encryption | MySQL Protocol | No | 4.4 | Network | High |
| CVE-2016-8283 | MySQL Server | Server: Types | MySQL Protocol | No | 4.3 | Network | Low |
| CVE-2016-8288 | MySQL Server | Server: InnoDB Plugin | MySQL Protocol | No | 3.1 | Network | Low |
| CVE-2016-8286 | MySQL Server | Server: Security: Privileges | MySQL Protocol | No | 3.1 | Network | Low |
| CVE-2016-8284 | MySQL Server | Server: Replication | None | No | 1.8 | Local | High |
Greenplum Database 4.3.10.0
The update introduces S3 writeable tables, resolves known issues, and includes some enhancements and changes.
Specifying an external table with gphdfs protocol with symbols \, ‘, <,> was a potential security vulnerability. The issue has been resolved.
MariaDB 10.0.28
New version includes updates for XtraDB, TokuDB, Innodb, Performance Schema and fixes for a number of security vulnerabilities:
CVE-2016-5616 (CVE-2016-6663 by Oracle) Allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM. CVSS Score: 7.0
CVE-2016-5624 Allows remote authenticated users to affect availability via vectors related to DML. CVSS Score: 6.5
CVE-2016-5626 Allows remote authenticated users to affect availability via vectors related to GIS.
CVSS Score: 6.5CVE-2016-3492 Allows remote authenticated users to affect availability via vectors related to Server: Optimizer. CVSS Score: 6.5
CVE-2016-5629 Allows remote administrators to affect availability via vectors related to Server: Federated. CVSS Score: 4.9
CVE-2016-8283 Allows remote authenticated users to affect availability via vectors related to Server: Types. CVSS Score: 4.3
CVE-2016-7440 – unspecified vulnerability.
CVE-2016-5584 Allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption. CVSS Score: 4.4
MySQL 5.6.34
New release contains security enhancements regarding secure_file_priv system variable, which is used to limit the effect of data import and export operations. Now it can be set to NULL to disable all import/export operations. The server now checks secure_file_priv value at startup and records a warning to the error log if the value is insecure. Previously secure_file_priv system variable was empty by default. Now the default value is set according to the value of INSTALL_LAYOUT CMake option. More detailed information you can find in release notes.
Percona Server 5.7.15-9
Based on MySQL 5.7.15, including all the bug fixes in it, Percona Server 5.7.14-8 is the current GA (Generally Available) release in the Percona Server 5.7 series. The update contains a number of bug fixes, including fix of slave thread leaks that happened in case of thread creation failure. Also memory leaks in Audit Log Plugin are eliminated.
Database Security Digest – September Database Security Digest – August Database Security Digest – June-July