あるAnonymous Coward 曰く、
MySQLに複数の深刻な脆弱性が発見されている。
http://seclists.org/oss-sec/2016/q3/481
中でもCVE-2016-6662については、LD_PRELOADを使った攻撃となっており、
rootで動作しないはずのMySQLでroot権限を奪取できる危険性があるという。The exploitation is interesting in the way that it involves an oldschool LD_PRELOAD environment variable and that it targets a service that doesn't serve requests as root but could still be tricked to get root RCE when
restarted.
Might give you strange feelings when restarting mysql service the next time ;)
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
mysqld_safeラッパースクリプトを使用せずsystemdで直接起動している場合は、
影響ないかもしれないし、
どこかでラッパーを使用していて脆弱かもしれない。
また、未公開のCVE-2016-6663を使うと容易にFILE権限が取れるらしい。
VII. BUSINESS IMPACT
-------------------------
As discussed above the vulnerability could be exploited by attackers with both
privileged and unprivileged (with FILE privilege only) access to mysql accounts.
It could also be combined with CVE-2016-6663 vulnerability which will be released
shortly and could allow certain attackers to escalate their privileges to root
even without FILE privilege.
The vulnerability could also be exploited via an SQL injection vector, which
removes the need for the attackers to have direct mysql connection and increases
the risk of exploitation.
Successful exploitation could gain a attacker a remote shell with root privileges
which would allow them to fully compromise the remote system.
If exploited, the malicious code would run as soon as MySQL daemon gets
restarted. MySQL service restart could happen for a number of reasons.
VIII. SYSTEMS AFFECTED
-------------------------
All MySQL versions from the oldest versions to the latest shown at the beginnig
of this advisory.
Some systems run MySQL via Systemd and provide direct startup path to mysqld
daemon instead of using mysqld_safe wrapper script. These systems however are
also at risk as mysqld_safe may be called on update by the installation scripts
or some other system services.
Because the exploit only accesses files normally used by MySQL server (
such as the config), and the injected library is preloaded by mysqld_safe startup
scripta not included within the default policies, the vulnerability can be
exploited even if security modules as SELinux and AppArmor are installed with
active security policies for the MySQL daemon.
http://qiita.com/yoku0825/items/dcdffae9e95658d86502
影響範囲などを個人的に調査している人もいる。
情報元へのリンク