Source: cve@mitre.org
mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database.
MySQL 3.21 is vulnerable to a critical local privilege escalation. The software creates world-readable log files, exposing user credentials, including passwords, to any local user. This allows attackers to gain unauthorized access to the database and potentially compromise the entire system.
Step 1: Local Access: An attacker gains local access to the vulnerable system. This could be through a compromised account, physical access, or another vulnerability.
Step 2: Identify Log File Location: The attacker identifies the location of the MySQL log files. This information can often be found in the MySQL configuration file or through default locations.
Step 3: Read Log File: The attacker reads the contents of the world-readable log files.
Step 4: Extract Credentials: The attacker parses the log files, extracting usernames and passwords for MySQL users.
Step 5: Gain Database Access: The attacker uses the extracted credentials to connect to the MySQL database.
Step 6: Privilege Escalation (Potential): Depending on the privileges of the compromised MySQL user, the attacker may be able to escalate their privileges within the database, potentially gaining control of the entire database server.
The vulnerability stems from a flawed implementation of the logging mechanism in MySQL 3.21. Specifically, the mysqld process, when creating log files, fails to set appropriate file permissions. This results in the creation of log files with world-readable permissions (e.g., chmod 666). This means any local user can read the contents of these log files. The log files contain sensitive information, including user credentials (passwords) for users added to the user database. The root cause is a lack of secure default file permission settings during log file creation, a fundamental security oversight.
Due to the age of the vulnerability, it's unlikely to be directly targeted by sophisticated APTs. However, it could be leveraged in conjunction with other vulnerabilities as part of a broader attack chain if an organization is still running the vulnerable version. Not listed on CISA KEV.
Monitor file system activity for the creation of log files with world-readable permissions (e.g., using auditd or similar tools).
Analyze MySQL log files for suspicious activity, such as unauthorized login attempts or unusual database queries.
Implement file integrity monitoring to detect any unauthorized modifications to MySQL configuration files or log files.
Review system logs for any instances of mysqld process creation or modification of log file permissions.
Upgrade: The most effective remediation is to upgrade to a supported and secure version of MySQL. This is the primary and recommended solution.
Restrict Access: If upgrading is not immediately possible, restrict access to the system where the vulnerable MySQL instance is running. Limit the number of users with local access.
File Permissions: If upgrading is not possible, manually change the permissions of the log files to be more restrictive (e.g., chmod 600 or chmod 640). However, this is a workaround and does not address the root cause.
Configuration Review: Review the MySQL configuration file (my.cnf or similar) to ensure that logging is configured securely and that sensitive information is not being logged unnecessarily.
Regular Audits: Conduct regular security audits to identify and address any vulnerabilities or misconfigurations.