Executive Summary

Summary
Title MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location
Informations
Name VU#567764 First vendor Publication 2021-04-20
Vendor VU-CERT Last vendor Modification 2021-04-22
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Overall CVSS Score 6.1
Base Score 6.1 Environmental Score 6.1
impact SubScore 4.2 Temporal Score 6.1
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required None User Interaction Required
Scope Unchanged Confidentiality Impact High
Integrity Impact Low Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:P/I:P/A:N)
Cvss Base Score 3.3 Attack Range Local
Cvss Impact Score 4.9 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

MySQL for Windows contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.

Description

CVE-2021-2307

MySQL includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory of /build_area/. On the Windows platform, this path is interpreted as C:\build_area. MySQL contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

Impact

By placing a specially-crafted openssl.cnf in a C:\build_area subdirectory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable MySQL software installed.

Solution

Apply an update

This vulnerability is addressed in the MySQL Windows installer version 8.0.24 and 5.7.34.

Create a C:\build_area directory

In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\build_area directory and restricting ACLs to prevent unprivileged users from being able to write to this location.

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Original Source

Url : https://kb.cert.org/vuls/id/567764

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 1
Application 1
Application 1
Application 472

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2021-09-23 17:17:46
  • Multiple Updates
2021-04-22 17:17:35
  • Multiple Updates
2021-04-21 00:17:15
  • First insertion