The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MySQL - CVE-2016-6662

Discussion in 'Security' started by ciao70, Sep 12, 2016.

Tags:
  1. ciao70

    ciao70 Member

    Joined:
    Nov 3, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Critical Vulnerability (0-Day) all version Mysql

    helpnetsecurity.com/2016/09/12/mysql-0-day-cve-2016-6662/


    legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
     
    #1 ciao70, Sep 12, 2016
    Last edited by a moderator: Sep 12, 2016
  2. ImWorriedAboutCoop

    ImWorriedAboutCoop Registered

    Joined:
    Sep 12, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Washington
    cPanel Access Level:
    Root Administrator
    We've been working with our Sysadmins - here is what we have learned.

    fdgweb.com/cve-2016-6662-remote-root-code-execution-privilege-escalation-0day-exploit

    You basically should check that your /etc/my.cnf has the correct ownership/permissions. No MySQL users created by cPanel should have SUPER or FILE permissions unless specifically set by a System Administrator since neither of these permissions can be granted through cPanel or any other method other than root access.

    However, as I understand it - it you have granted these permissions via SSH / MySQL via root - then you can be vulnerable.

    You can view grants like so:

    SHOW GRANTS [FOR user]

    Full explanation: MySQL :: MySQL 5.7 Reference Manual :: 14.7.5.21 SHOW GRANTS Syntax

    Would love for cPanel to weigh in though .. as this is all still reactionary.
     
    #2 ImWorriedAboutCoop, Sep 12, 2016
    Last edited by a moderator: Sep 12, 2016
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    123
    Likes Received:
    36
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    1) I verified /etc/my.cnf was owned by root/root with rw-r-r permissions. I did not create a .my.cnf here, should I have?

    I read several articles about this issue and followed the steps outlined in the cpanel article, specifically, I used the following command as root:
    touch /var/lib/mysql/my.cnf /var/lib/mysql/.my.cnf to create both, empty dummy files owned by root/root with rw-r-r permissions

    2) Do you recommend additional mitigations? It appears there is a new CVE that hasn't been publicly disclosed CVE-2016-6663 allowing to bypass the needed FILE permissions & just need the SELECT permission, which pretty much every database has. A bit scary.

    3) I have a default mysql configuration. Do you recommend creating the empty my.cnf & .my.cnf elsewhere besides /var/lib/mysql?

    4) Should I remove the two dummy my.cnf / .my.cnf files from /var/lib/mysql when patching mysql? Assume it doesn't matter.

    5) Will you be publishing the mysql 5.6.33 fixed version to both WHM 58 & 56 or just WHM 58? Still have some old centos5 servers that can only run 56 stable. I assume since this is security related that it would be published to 56 as well. Is there an ETA?

    Thank you.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Good. No, you have one there and checked its owner and permissions.


    Does any of your users have SUPER of FILE grants, as mentioned in the article? There's a command posted there you can use to check. Those additional my.cnf are for that.

    The article explains whats needed.

     
  7. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    I read several articles on this. None of my users have the SUPER or FILE grants, however, they all have the SELECT permission. Basically, there's a new CVE 2016-6663 and from what I understand, it doesn't need the FILE or SUPER grant (just the SELECT one) and basically bypasses the FILE permission and can also exploit this vulnerability. As such, I created the empty my.cnf .my.cnf files in /var/lib/mysql with 0644 owned by root:root as a pre-caution. From what I've read, it's possible CVE 2016-6663 is already being exploited as 0-day and it's not hard to bypass the lack of FILE user permission. Ultimately, I just want to push out the newest version of MYSQL asap. Thoughts or am I missing something?

    Is there an ETA on the new MYSQL version getting pushed out by cpanel?

    Thank you.
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I followed the link to CVE-2016-6662 as posted by Infopro.
    I see that my.cnf is owned by root with 644 permissions, and when I run the command:
    mysql mysql -e 'select User,Host from user where User != "root" and ( File_priv = "Y" or Super_priv = "Y" );'

    I get nothing what so ever back, just back to the # prompt.
    Can I deduce from this, that I'm not vulnerable ?

    Incidentally, I'm not aware of creating any MYSQL users outside of Cpanel or WHM, I wouldn't even know how to.
     
  9. ciao70

    ciao70 Member

    Joined:
    Nov 3, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1


    Hi,

    Is there an ETA on the new MYSQL version getting pushed out by cpanel?


    Revision 2

    - CVE-2016-6662
    - Release date: 12.09.2016
    - Last updated: 16.09.2016
    - Revision: 2
    - Severity: Critical

    legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html


    MySQL releases containing security fixes:
    MySQL :: MySQL 5.5 Release Notes :: Changes in MySQL 5.5.52 (2016-09-06)
    MySQL :: MySQL 5.6 Release Notes :: Changes in MySQL 5.6.33 (2016-09-06)
    MySQL :: MySQL 5.7 Release Notes :: Changes in MySQL 5.7.15 (2016-09-06)

    Thanks
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No word yet:

     
  11. ciao70

    ciao70 Member

    Joined:
    Nov 3, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
  12. ciao70

    ciao70 Member

    Joined:
    Nov 3, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Fixed in 11.58.0.30
    • Fixed case CPANEL-8432: Update MySQL55 to 5.5.52-1.cp1156.
    • Fixed case CPANEL-8434: Update MySQL56 to 5.6.33-1.cp1156.
    Thanks
     
  13. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Will this not be fixed in cPanel 11.56 or 11.54?

    Aren't those versions still in LTS and still supported?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @sparek-3,

    CPANEL-8432 and CPANEL-8434 and planned for inclusion with cPanel version 56.0.35. I'll update this thread once that version is published. There are no plans to include these cases with cPanel version 54, however mitigation steps are available at:

    CVE-2016-6662 MySQL - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
  15. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Hmm, luckily I'm not using cPanel 54. But I can see how this could get under someone's skin if they are.

    So essentially you are not support cPanel 54 any more? And the table for scheduled end-of-life for cPanel 54 ( cPanel Long-Term Support - Documentation - cPanel Documentation ) should have anticipated end-of-life for cPanel 54 as September 2016.

    I know you plan to make some changes to the way releases and LTSs are done starting in 2017. I'm not sure if I'll really like those changes, but I'll admit something probably needs to be done.

    It sounds to me like if you aren't going to provide security updates for cPanel 54 any more, then you should just cut it from your list of supported versions.

    But I'm also hoping that when 2017 comes around and you change your LTS strategy that you don't decide to pick and choose what security patches to release for LTS versions and other supported versions.

    I don't have a problem with cutting support for a version, and to your credit the LTS table does say Anticipated End-of-Life which I suppose can mean that you can cut off support before then (or after). But for all of the versions that are "in life" I think you are obligated to honoring security patches.
     
  16. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I agree 100% with sparek-3. I'm migrating Centos5 systems to Centos6/7 before Centos5 is e-o-l March 31st, 2017, however, some clients refuse to perform a migration until almost the last minute. As such, I rely on cpanel to continue to push out security updates to cpanel 56 until Centos5 is e-o-l.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page