MariaDB - MyiSAM/Aria Temporary Files Arbitrary File Delete Vulnerability

Domenico

Well-Known Member
Aug 14, 2001
378
12
318
============================================================
Product: MariaDB
OS: Linux
URL: https://mariadb.org
Type: Arbitrary File Delete (CWE-59)
Vulnerable Version: All versions prior to fixed versions.
Fixed Version: 10.5.7, 10.4.16, 10.3.26, 10.2.35, 10.1.48
CVE Number: *PENDING*
Date: 2020-11-09
Found By: RACK911 Labs
============================================================

Product Description:
--------------------

MariaDB Server is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google.

MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. Originally designed as enhanced, drop-in replacement for MySQL, MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.


Vulnerability Description:
--------------------------

MariaDB is vulnerable to an arbitrary file delete vulnerability that allows unprivileged users the ability to corrupt and/or delete files owned by the 'mysql' user including other user databases.

This vulnerability is allowed to happen due to the use of insecure temporary files related to the MyISAM/Aria operations.

In our testing, most hosting control panels that use MariaDB are vulnerable to this exploit. It is incredibly easy to exploit and users are highly recommended to update as soon as possible.


Vendor Contact Timeline:
------------------------

2020-08-23: Vendor contacted via email.
2020-08-24: Vendor confirms vulnerability.
2020-11-04: Vendor issues update(s) resolving vulnerability.
2020-11-09: RACK911 Labs releases public advisory.

Reference(s):
-------------

https://jira.mariadb.org/browse/MDEV-23569
https://mariadb.com/kb/en/mariadb-1057-release-notes/
https://mariadb.com/kb/en/mariadb-10416-release-notes/
https://mariadb.com/kb/en/mariadb-10326-release-notes/
https://mariadb.com/kb/en/mariadb-10235-release-notes/
https://mariadb.com/kb/en/mariadb-10148-release-notes/
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,194
298
213
cPanel Access Level
Root Administrator
Hey there! It looks like there's been some discussion about this over in the other recent MariaDB thread here:

 

Steini Petur

Well-Known Member
Apr 24, 2016
54
11
8
Iceland
cPanel Access Level
Root Administrator
Hey there! It looks like there's been some discussion about this over in the other recent MariaDB thread here:

Isn't it just lovely that this sort of exploit is out there while it's not yet time to update to .26 due to the ongoing issues, I hope that cPanel puts this as priority for an official patch so people can start securing their MariaDB's properly without any hotfix.
 
  • Like
Reactions: cPRex