MySQL remote exploit
Joseph Sinclair
plug-discussion at stcaz.net
Mon Sep 12 13:29:06 MST 2016
FYI, minor improvement below to lock down a few edge cases (note, this is primarily for EXT{2,3,4} and other filesystems that support file attributes).
You'll also need to remove the attribute manually before updating when patches become available.
On 09/12/2016 12:33 PM, der.hans wrote:
> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>
> moin moin,
>
>> Basically they mirror the repos. So when it hits debian I will upgrade.
>
> Ah, OK.
>
> You might also want to create a couple of empty files and lock them down.
>
> $datadir can be exploited, so pre-emptively putting empty conf files in
> there that can't be changed by mysql is a good idea.
>
> The following is for anyone with questions on locking down the config
> files in $datadir.
>
> Presuming $datadir is /var/lib/mysql either of the following will lock
> down the files when run as root, but the first will destroy files you
> might already have.
>
> # >/var/lib/mysq/my.cnf
> # >/var/lib/mysq/.my.cnf
> # chmod 000 /var/lib/mysq/{.,}my.cnf
# chattr +i /var/lib/mysq/{.,}my.cnf
>
> Or, with some minimal verification that it's safe...
>
> # for file in /var/lib/mysq/{.,}my.cnf; do
> if [ ! -e $file ] ; then
> >$file
> chmod 000 $file
chattr +i $file
> ls -l $file
lsattr $file
> else
> ls -l $file
lsattr $file
> echo "You might want to check on that"
> fi
> done
>
> ciao,
>
> der.hans
>
>> Sent from my iPhone
>>
>>> On Sep 12, 2016, at 12:00 PM, der.hans <PLUGd at LuftHans.com> wrote:
>>>
>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>
>>> moin moin,
>>>
>>>> Thanks have some SQL in DO droplets. Will be looking for this.
>>>
>>> Will DigitalOcean automagically apply the patches for you?
>>>
>>> I would expect it's in their best interest.
>>>
>>> I'm certain DreamHost is already upgraded. GoDaddy is probably rolling it
>>> out already, but I no longer know anyone on the team over there, so am not
>>> sure how quick they will be.
>>>
>>> This is admittedly one of the advantages of cloud. The infrastructure
>>> providers can centrally test and roll out for everyone. The disadvantage
>>> is if it's something that affects you, but they don't know or care about
>>> it :).
>>>
>>> ciao,
>>>
>>> der.hans
>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Sep 12, 2016, at 11:18 AM, der.hans <PLUGd at LuftHans.com> wrote:
>>>>>
>>>>> moin moin,
>>>>>
>>>>> a MySQL remote exploit was announced this morning. Percona and MariaDB
>>>>> already have fixes that have not yet hit the distros.
>>>>>
>>>>> https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662
>>>>>
>>>>> http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
>>>>>
>>>>> Watch for updates.
>>>>>
>>>>> ciao,
>>>>>
>>>>> der.hans
>>>>> --
>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/
>>>>> # Fairy Tale, n.: A horror story to prepare children for the newspapers.
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>> --
>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/
>>> # "You go to Afghanistan and you swallow enough dust that you'll pass an
>>> # adobe brick." -- Robin Williams, 03Aug2006
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20160912/b971d6db/attachment.pgp>
More information about the PLUG-discuss
mailing list