CVE-2016-6662

MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

Oracle MySQL hasta la versión 5.5.52, 5.6.x hasta la versión 5.6.33 y 5.7.x hasta la versión 5.7.15; MariaDB en versiones anteriores a 5.5.51, 10.0.x en versiones anteriores a 10.0.27 y 10.1.x en versiones anteriores a 10.1.17; y Percona Server en versiones anteriores a 5.5.51-38.1, 5.6.x en versiones anteriores a 5.6.32-78.0 y 5.7.x en versiones anteriores a 5.7.14-7 permiten a usuarios locales crear configuraciones arbitrarias y eludir ciertos mecanismos de protección estableciendo general_log_file a una configuración my.cnf NOTA: esto puede ser aprovechado para ejecutar código arbitrario con privilegios root estableciendo malloc_lib. NOTA: la información sobre la versión de MySQL afectada es de la CPU de Octubre de 2016 de Oracle. Oracle no ha comentado sobre las reclamaciones de terceros que el problema fue parcheado silenciosamente en MySQL 5.5.52, 5.6.33 y 5.7.15.

It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.

MySQL versions 5.7.15 and below, 5.6.33 and below, and 5.5.52 and below suffer from remote root code execution and privilege escalation vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-08-10 CVE Reserved
2016-09-12 CVE Published
2016-09-15 First Exploit
2024-08-06 CVE Updated
2024-08-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (32)

URL	Tag	Source
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html	Third Party Advisory
http://seclists.org/fulldisclosure/2016/Sep/23	Mailing List
http://www.openwall.com/lists/oss-security/2016/09/12/3	Mailing List
http://www.securityfocus.com/bid/92912	Third Party Advisory
http://www.securitytracker.com/id/1036769	Third Party Advisory
https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/40360	2024-08-06
https://github.com/MAYASEVEN/CVE-2016-6662	2017-07-22
https://github.com/KosukeShimofuji/CVE-2016-6662	2016-09-16
https://github.com/konstantin-kelemen/mysqld_safe-CVE-2016-6662-patch	2016-09-15

URL	Date	SRC
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	2021-08-04

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2016-2058.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2059.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2060.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2061.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2062.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2077.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2130.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2131.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2595.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2749.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2927.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2016-2928.html	2021-08-04
http://rhn.redhat.com/errata/RHSA-2017-0184.html	2021-08-04
http://www.debian.org/security/2016/dsa-3666	2021-08-04
https://jira.mariadb.org/browse/MDEV-10465	2021-08-04
https://mariadb.com/kb/en/mariadb/mariadb-10027-release-notes	2021-08-04
https://mariadb.com/kb/en/mariadb/mariadb-10117-release-notes	2021-08-04
https://mariadb.com/kb/en/mariadb/mariadb-5551-release-notes	2021-08-04
https://security.gentoo.org/glsa/201701-01	2021-08-04
https://access.redhat.com/security/cve/CVE-2016-6662	2017-01-24
https://bugzilla.redhat.com/show_bug.cgi?id=1375198	2017-01-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 5.5.0 <= 5.5.52 Search vendor "Oracle" for product "Mysql" and version " >= 5.5.0 <= 5.5.52"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 5.6.0 <= 5.6.33 Search vendor "Oracle" for product "Mysql" and version " >= 5.6.0 <= 5.6.33"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 5.7.0 <= 5.7.15 Search vendor "Oracle" for product "Mysql" and version " >= 5.7.0 <= 5.7.15"		-		Affected
Percona Search vendor "Percona"		Percona Server Search vendor "Percona" for product "Percona Server"				>= 5.5 < 5.5.51-38.1 Search vendor "Percona" for product "Percona Server" and version " >= 5.5 < 5.5.51-38.1"		-		Affected
Percona Search vendor "Percona"		Percona Server Search vendor "Percona" for product "Percona Server"				>= 5.6 < 5.6.32-78.0 Search vendor "Percona" for product "Percona Server" and version " >= 5.6 < 5.6.32-78.0"		-		Affected
Percona Search vendor "Percona"		Percona Server Search vendor "Percona" for product "Percona Server"				>= 5.7 < 5.7.14-7 Search vendor "Percona" for product "Percona Server" and version " >= 5.7 < 5.7.14-7"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 5.5.20 < 5.5.51 Search vendor "Mariadb" for product "Mariadb" and version " >= 5.5.20 < 5.5.51"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.0.0 < 10.0.27 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.0.0 < 10.0.27"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.1.0 < 10.1.17 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.1.0 < 10.1.17"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				5.0 Search vendor "Redhat" for product "Openstack" and version "5.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				6.0 Search vendor "Redhat" for product "Openstack" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				7.0 Search vendor "Redhat" for product "Openstack" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				8 Search vendor "Redhat" for product "Openstack" and version "8"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				9 Search vendor "Redhat" for product "Openstack" and version "9"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				6.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.3 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.3"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.3 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.3"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.5 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.5"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.3 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.3"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				6.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected