Database Security Digest – October 2016

Last month has been relatively calm considering series of big data breaches on previous months.

A hacker named Guccifer 2.0, who is already known for leaking legitimate documents of political organizations, has exposed files of Clinton Foundation. He wrote that it was just the matter of time, as the staff of Clinton Foundation didn’t bother about information security.

Modern Business Systems suffered a breach of 58 user accounts, involving customer names, postal, email and IP addresses, phone numbers. Games developer company Evony Gaming compromised 33 million accounts with usernames, passwords and email addresses.

New MySQL flaws

Two serious privilege escalation vulnerabilities have been found in MySQL and its forks MariaDB, PerconaDB. Developers have already released updates addressing the flaws. CVE-2016-6663 and CVE-2016-6664 (tracked by Oracle as CVE-2016-5616 and CVE-2016-5617 accordingly).

CVE-2016-6663 makes exploitation of CVE-2016-6662 easier. It is a race condition that allows low-privileged users to escalate privileges and execute arbitrary code as a database system user. It can be exploited by attackers who manage to find vulnerability in a website and gain access to the target system as a low-privileged user. It also can be used in a shared hosting environment where each user can access only one certain database.

According to the expert who detected the flaw, CVE-2016-6663 can be used together with CVE-2016-6662 or CVE-2016-6664 in order to obtain root privileges and compromise the whole targeted system. The exploit is freely available in the public domain, there is even a video showing how it must be done. With this in mind, users of affected platforms should patch as soon as possible.

Vulnerabilities affect Oracle MySQL versions 5.5.51, 5.6.32, 5.7.14 and earlier. October critical patch update fixes both issues. Percona announced that it updated Percona Server to address vulnerabilities above. MariaDB has patched CVE-2016-6663 and left CVE-2016-6664 until upcoming maintenance release, arguing that it is not exploitable by itself.

Oracle Fixes

Oracle announced release of Critical Patch Update on October 18, eliminating 253 vulnerabilities in various platforms. As for Oracle Database Server it has 12 security fixes. One of vulnerabilities can be exploited remotely without requiring user credentials.

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote Exploit without Auth.?Base ScoreAttack VectorPrivileges required
CVE-2016-5555OJVMCreate Session, Create ProcedureMultipleNo9.1NetworkHigh
CVE-2016-5572Kernel PDBCreate SessionOracle NetNo6.4LocalHigh
CVE-2016-5497RDBMS SecurityCreate SessionOracle NetNo6.4LocalHigh
CVE-2010-5312Application ExpressNoneHTTPYes6.1NetworkNone
CVE-2016-5516Kernel PDBExecute on DBMS_PDB_EXEC_SQLOracle NetNo6.0LocalHigh
CVE-2016-5505RDBMS Programmable InterfaceCreate SessionOracle NetNo5.5LocalLow
CVE-2016-5498RDBMS SecurityCreate SessionOracle NetNo3.3LocalLow
CVE-2016-5499RDBMS SecurityCreate SessionOracle NetNo3.3LocalLow
CVE-2016-3562RDBMS Security and SQL*PlusDBA level privileged accountOracle NetNo2.4NetworkHigh

Oracle MySQL

31 security fixes for Oracle MySQL in this update. 2 of them may be remotely exploitable without authentication.
CVE#ComponentSub- componentProtocolRemote Exploit without Auth.?Base ScoreAttack Vector Privileges required 
CVE-2016-6304MySQL ServerServer: Security: EncryptionMySQL ProtocolYes7.5NetworkNone
CVE-2016-6662MySQL ServerServer: LoggingNoneNo7.2LocalHigh
CVE-2016-5617MySQL ServerServer: Error HandlingNoneNo7.0LocalLow
CVE-2016-5616MySQL ServerServer: MyISAMNoneNo7.0LocalLow
CVE-2016-5625MySQL ServerServer: PackagingNoneNo7.0LocalLow
CVE-2016-5609MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLow
CVE-2016-5612MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLow
CVE-2016-5624MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLow
CVE-2016-5626MySQL ServerServer: GISMySQL ProtocolNo6.5NetworkLow
CVE-2016-5627MySQL ServerServer: InnoDBMySQL ProtocolNo6.5NetworkLow
CVE-2016-3492MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLow
CVE-2016-5598MySQL ConnectorConnector/PythonMySQL ProtocolYes5.6NetworkNone
CVE-2016-7440MySQL ServerServer: Security: EncryptionNoneNo5.1LocalNone
CVE-2016-5628MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5629MySQL ServerServer: FederatedMySQL ProtocolNo4.9NetworkHigh
CVE-2016-3495MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5630MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5507MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5631MySQL ServerServer: MemcachedMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5632MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5633MySQL ServerServer: Performance SchemaMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5634MySQL ServerServer: RBRMySQL ProtocolNo4.9NetworkHigh
CVE-2016-5635MySQL ServerServer: Security: AuditMySQL ProtocolNo4.9NetworkHigh
CVE-2016-8289MySQL ServerServer: InnoDBNoneNo4.7LocalHigh
CVE-2016-8287MySQL ServerServer: ReplicationMySQL ProtocolNo4.5NetworkHigh
CVE-2016-8290MySQL ServerServer: Performance SchemaMySQL ProtocolNo4.4NetworkHigh
CVE-2016-5584MySQL ServerServer: Security: EncryptionMySQL ProtocolNo4.4NetworkHigh
CVE-2016-8283MySQL ServerServer: TypesMySQL ProtocolNo4.3NetworkLow
CVE-2016-8288MySQL ServerServer: InnoDB PluginMySQL ProtocolNo3.1NetworkLow
CVE-2016-8286MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo3.1NetworkLow
CVE-2016-8284MySQL ServerServer: ReplicationNoneNo1.8LocalHigh

Greenplum Database 4.3.10.0

The update introduces S3 writeable tables, resolves known issues, and includes some enhancements and changes.

Specifying an external table with gphdfs protocol with symbols \, ‘, <,> was a potential security vulnerability. The issue has been resolved.

MariaDB 10.0.28

New version includes updates for XtraDB, TokuDB, Innodb, Performance Schema and fixes for a number of security vulnerabilities:

CVE-2016-5616  (CVE-2016-6663 by Oracle)
Allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM.
CVSS Score: 7.0

CVE-2016-5624
Allows remote authenticated users to affect availability via vectors related to DML.
CVSS Score: 6.5

CVE-2016-5626
Allows remote authenticated users to affect availability via vectors related to GIS.

CVSS Score: 6.5

CVE-2016-3492
Allows remote authenticated users to affect availability via vectors related to Server: Optimizer.
CVSS Score: 6.5

CVE-2016-5629
Allows remote administrators to affect availability via vectors related to Server: Federated.
CVSS Score: 4.9

CVE-2016-8283
Allows remote authenticated users to affect availability via vectors related to Server: Types.
CVSS Score: 4.3

CVE-2016-7440 – unspecified vulnerability.

CVE-2016-5584
Allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption.
CVSS Score: 4.4

MySQL 5.6.34

New release contains security enhancements regarding secure_file_priv system variable, which is used to limit the effect of data import and export operations. Now it can be set to NULL to disable all import/export operations. The server now checks secure_file_priv value at startup and records a warning to the error log if the value is insecure.
Previously secure_file_priv system variable was empty by default. Now the default value is set according to the value of INSTALL_LAYOUT CMake option.
More detailed information you can find in release notes.

Percona Server 5.7.15-9

Based on MySQL 5.7.15, including all the bug fixes in it, Percona Server 5.7.14-8 is the current GA (Generally Available) release in the Percona Server 5.7 series.
The update contains a number of bug fixes, including fix of slave thread leaks that happened in case of thread creation failure. Also memory leaks in Audit Log Plugin are eliminated.

Database Security Digest – September
Database Security Digest – August
Database Security Digest – June-July