CVE-2020-7221 in MariaDB
Summary
by MITRE
mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2024
The vulnerability CVE-2020-7221 represents a critical privilege escalation flaw in MariaDB versions 10.4.7 through 10.4.11 that enables an attacker with access to the mysql user account to escalate privileges to root level. This issue stems from unsafe file permission handling during the mysql_install_db initialization process, specifically involving the chown and chmod operations that are executed without proper validation of symbolic links. The vulnerability is particularly concerning because it directly targets the database installation procedure where the mysql user typically executes the installation script, creating a pathway for attackers to gain elevated system privileges through carefully crafted symlink attacks.
The technical implementation of this vulnerability occurs within the authentication plugin directory structure where the mysql_install_db script performs chmod operations on the auth_pam_tool binary with permissions set to 04755, which grants setuid bit functionality. When the script processes the auth_pam_tool_dir/auth_pam_tool path, it fails to validate whether the target path is a symbolic link, allowing an attacker to create a malicious symlink that points to a writable system file or directory. This unsafe handling violates security principles outlined in CWE-59, which addresses improper handling of symbolic links, and CWE-732, which covers incorrect permission assignment for critical resources. The vulnerability specifically exploits the lack of proper path validation in the installation routine, enabling attackers to manipulate file ownership and permissions to gain root access.
The operational impact of CVE-2020-7221 extends beyond simple privilege escalation as it provides attackers with complete system control through the database installation process. This vulnerability is particularly dangerous in environments where database administrators have limited system access but can execute installation scripts, as it creates a backdoor path to root privileges. The attack vector is relatively straightforward, requiring only that an attacker can write to the installation directory and execute the mysql_install_db script with the mysql user account. This flaw aligns with ATT&CK technique T1068, which covers local privilege escalation through the exploitation of system vulnerabilities, and T1548.001, which focuses on privilege escalation through the use of setuid binaries. The vulnerability's impact is amplified because it affects the database initialization phase, which is a critical component of system deployment and often executed with elevated privileges during installation.
Mitigation strategies for CVE-2020-7221 require immediate patching of affected MariaDB versions to 10.4.12 or later, where the unsafe chown and chmod operations have been properly secured. Organizations should implement strict directory permissions and file ownership validation during installation processes, ensuring that all paths are resolved to their actual targets before any permission modifications occur. System administrators should also consider implementing additional security controls such as file integrity monitoring, restricting write access to installation directories, and employing privilege separation techniques that prevent the mysql user from having unnecessary write permissions to critical system locations. The vulnerability demonstrates the importance of secure coding practices in installation scripts and highlights the need for comprehensive input validation, particularly when dealing with file system operations that involve symbolic links and permission changes.