Oracle MySQL Server InnoDB Memcached Vulnerability
MySQL is a popular open-source implementation of a relational database that supports the Structured Query Language (SQL) for querying and updating stored data. Communication with the database occurs using the MySQL protocol. As with other database implementations, MySQL supports a number of database storage engines, with InnoDB as the default backend.
A buffer overflow vulnerability has been reported in Oracle MySQL. The vulnerability exists in the InnoDB memcached plugin component.
A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted packet to the vulnerable server. Successful exploitation will allow an attacker to execute arbitrary code in the context of the application.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2429.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C).
Base score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is low.
• Impact of this vulnerability on data integrity is low.
• Impact of this vulnerability on data availability is low.
Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
A heap buffer overflow vulnerability exists in MySQL InnoDB-memcached plugin when it is handling the incoming get command. This is performed in the innodb_get() function. When there was “@@store_name” notation inside a get command, the vulnerable function will execute the code branch to switch tables. During the implementation, it will retrieve the schema (db_schema) and table (db_table) information using the supplied store_name, and build the table_name by following format string (depending on Windows platform or not):
For the above example, when the memcached server received a get command as “get @@aaa”, the table_name will be built as “ts1\tab1”. Then, this table_name will be copied into a heap buffer with fixed size of 16384. If there were multiple “@@store_name” notations in one get command, all generated table_name will be copied into this buffer in order. However, the vulnerable function failed to validate the total length of these table_name strings and this could result in the said heap buffer overflowed.
Triggering the Problem:
• The target host must have a vulnerable version of the affected product installed and running.
• The target product must have the InnoDB-memcached plugin enabled.
• The attacker must have the means to deliver crafted packets to the target service.
The attacker sends a malicious Memcached get request to the target server. The vulnerability is triggered when the server processes the malicious request.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
• Memcache, over port 11211/TCP
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 3109 MySQL InnoDB Memcached Plugin DoS
Listed actions that may be taken in order to mitigate or eliminate the risks associated with this vulnerability.
• Limit access to the database to allow trusted users only.
• Restrict remote connections to trusted hosts only.
• Filter attack traffic using the signature above.
• Upgrade the vulnerable product to a non-vulnerable version.
The vendor, Oracle, has released the following advisory regarding this vulnerability