Discovered by Matthew Van Gundy of Asig
Today, Talos is releasing details of a new vulnerability within MySQL Multi-Master Manager. This is used to perform monitoring, failover and management of MySQL master-master replication configurations. By using MySQL MMM (Multi-Master Replication Manager for MySQL) it ensures that only one node is writeable at a time. Using MySQL MMM an end user can also choose to move their Virtual IP addresses to different servers depending on their replication status.
Multiple exploitable remote command injection vulnerabilities exist in the MySQL Master-Master Replication Manager (MMM) mmm_agentd daemon 2.2.1. mmm_agentd commonly runs with root privileges and does not require authentication by default. A specially crafted MMM protocol
message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm_agentd process. An attacker that can initiate a TCP session with mmm_agentd can trigger these vulnerabilities. Detailed vulnerability information can be found here.
MMM 2.2.1
http://mysql-mmm.org/
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rule: 45089
Overview
Today, Talos is releasing details of a new vulnerability within MySQL Multi-Master Manager. This is used to perform monitoring, failover and management of MySQL master-master replication configurations. By using MySQL MMM (Multi-Master Replication Manager for MySQL) it ensures that only one node is writeable at a time. Using MySQL MMM an end user can also choose to move their Virtual IP addresses to different servers depending on their replication status.
TALOS-2017-501 - MySQL Multi-Master Manager Remote Command Injection Vulnerability (CVE-2017-14474 - CVE-2017-14481)
Multiple exploitable remote command injection vulnerabilities exist in the MySQL Master-Master Replication Manager (MMM) mmm_agentd daemon 2.2.1. mmm_agentd commonly runs with root privileges and does not require authentication by default. A specially crafted MMM protocol
message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm_agentd process. An attacker that can initiate a TCP session with mmm_agentd can trigger these vulnerabilities. Detailed vulnerability information can be found here.
Known vulnerable versions
MMM 2.2.1
http://mysql-mmm.org/
Coverage
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rule: 45089
