Blog
Vulnerabilities and Threats

Intruder Vulnerability Bulletin — MySQL Privilege Escalation Vulnerabilities

David Robinson
Author
David Robinson

Key Points

You may have heard of two new MySQL vulnerabilities in the news over the past couple of days (CVE-2016–6662 & CVE-2016–6663).

CVE-2016–6662

This vulnerability affects MySQL (versions < 5.7.15, < 5.6.33, < 5.5.52) as well as its MariaDB and PerconaDB derivatives.

If successfully exploited, this vulnerability may allow an attacker who has already gained access to the database to elevate their privileges to the “root” administrative level.

It is important to note that in order for an attack to be successful, the attacker must have already gained access to an affected database (eg. via another attack such as SQL Injection), which would be considered a critical weakness in its own right (they would likely already have complete control of your application’s data).

We’ve already checked our customers’ systems, but, even if you’re not using Intruder’s continuous monitoring service yet, this vulnerability isn’t something to get in a panic about, and we recommend patching any affected databases across your estate as part of your normal patching process.

Further details of this vulnerability can be found at: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

CVE-2016–6663

Full details of this vulnerability have not yet been released, however initial information suggests it is similar in nature to CVE-2016–6662. We will issue an update as more information becomes available.

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial