Oracle MySQL Server InnoDB Memcached Vulnerability

By

Overview:

  MySQL is a popular open-source implementation of a relational database that supports the Structured Query Language (SQL) for querying and updating stored data. Communication with the database occurs using the MySQL protocol. As with other database implementations, MySQL supports a number of database storage engines, with InnoDB as the default backend.

  A buffer overflow vulnerability has been reported in Oracle MySQL. The vulnerability exists in the InnoDB memcached plugin component.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted packet to the vulnerable server. Successful exploitation will allow an attacker to execute arbitrary code in the context of the application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2429.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C).

  Base score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A heap buffer overflow vulnerability exists in MySQL InnoDB-memcached plugin when it is handling the incoming get command. This is performed in the innodb_get() function. When there was “@@store_name” notation inside a get command, the vulnerable function will execute the code branch to switch tables. During the implementation, it will retrieve the schema (db_schema) and table (db_table) information using the supplied store_name, and build the table_name by following format string (depending on Windows platform or not):

  %s\%s

  or

  %s/%s

  For the above example, when the memcached server received a get command as “get @@aaa”, the table_name will be built as “ts1\tab1”. Then, this table_name will be copied into a heap buffer with fixed size of 16384. If there were multiple “@@store_name” notations in one get command, all generated table_name will be copied into this buffer in order. However, the vulnerable function failed to validate the total length of these table_name strings and this could result in the said heap buffer overflowed.

  Memcached Get Data

Triggering the Problem:

  • The target host must have a vulnerable version of the affected product installed and running.
  • The target product must have the InnoDB-memcached plugin enabled.
  • The attacker must have the means to deliver crafted packets to the target service.

Triggering Conditions:

  The attacker sends a malicious Memcached get request to the target server. The vulnerability is triggered when the server processes the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Memcache, over port 11211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3109 MySQL InnoDB Memcached Plugin DoS

Remediation Details:

  Listed actions that may be taken in order to mitigate or eliminate the risks associated with this vulnerability.
    • Limit access to the database to allow trusted users only.
    • Restrict remote connections to trusted hosts only.
    • Filter attack traffic using the signature above.
    • Upgrade the vulnerable product to a non-vulnerable version.
  The vendor, Oracle, has released the following advisory regarding this vulnerability
  Vendor Advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.