MARIADB – MYISAM/ARIA TEMPORARY FILES ARBITRARY FILE DELETE VULNERABILITY
Product Description:
MariaDB Server is one of the most popular database servers in the world. It is developed by the original creators of the ubiquitous MySQL server and it is guaranteed by the developers to remain open source software. Notable users of MariaDB include Wikipedia, WordPress.com and Google.
MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. Originally designed as an enhanced, drop-in replacement for MySQL, MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.
Vulnerability
We have been alerted of a vulnerability in MariaDB server relating to an arbitrary file delete vulnerability that allows unprivileged users the ability to corrupt and/or delete files owned by the 'mysql'
user including other user databases.
This vulnerability is allowed to happen due to the use of insecure temporary files related to the MyISAM/Aria operations.
In our testing, most hosting control panels that use MariaDB are vulnerable to this exploit. It is incredibly easy to exploit and users are highly recommended to update as soon as possible.
Versions Affected
Product: MariaDB
OS: Linux
URL: https://mariadb.org
Type: Arbitrary File Delete (CWE-59)
Vulnerable Version: All versions prior to fixed versions.
Fixed Version: 10.5.7, 10.4.16, 10.3.26, 10.2.35, 10.1.48
CVE Number: *PENDING*
Date: 2020-11-09
Disclosure
vulnerability researched and reported by RACK911LABS
- 2020-08-23: Vendor contacted via email.
- 2020-08-24: Vendor confirms vulnerability.
- 2020-11-04: Vendor issues update(s) resolving vulnerability.
- 2020-11-09: Public advisory released.
References:
- https://rack911labs.com
- https://jira.mariadb.org/browse/MDEV-23569
- https://mariadb.com/kb/en/mariadb-1057-release-notes/
- https://mariadb.com/kb/en/mariadb-10416-release-notes/
- https://mariadb.com/kb/en/mariadb-10326-release-notes/
- https://mariadb.com/kb/en/mariadb-10235-release-notes/
- https://mariadb.com/kb/en/mariadb-10148-release-notes/