A new MySQL vulnerability has emerged that allows attackers to inject malicious settings into the database configuration files. The security hole is reportedly affecting all MySQL servers, including the ones with the latest software versions.
Security researcher Dawid Golunski has disclosed the presence of the vulnerability in the form of CVE-2016-6662. This issue is affirmed to be already passed to MySQL vendor Oracle. However, a patch is yet to be released through an official channel.
“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via a network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors,” wrote Golunski.
CVE-2016-6662 can enable hackers to use SQL Injection and attack web applications. Also, it can offer a backdoor access to execute arbitrary code with root privileges.
The researcher stated that the vulnerability could hit MySQL servers even if security modules like SELinux and AppArmor are installed with default policies. This is likely to bring a mass concern as a large number of public server deployments are based on protected by these modules.
Proof-Of-Concept now public
To demonstrate the vulnerability, Golunski has provided a Proof-Of-Concept that shows how attackers can achieve remote root code execution.
Oracle and other vendors were first informed of the flaw back in July. MySQL clones including PerconaDB and MariaDB patched the bug, but the original open source RDBMS has not been patched so far. That being said, Oracle is expected to release a fix sometime next month to deliver a secure experience.