Discovered by Matthew Van Gundy of Asig

Overview


Today, Talos is releasing details of a new vulnerability within MySQL Multi-Master Manager. This is used to perform monitoring, failover and management of MySQL master-master replication configurations. By using MySQL MMM (Multi-Master Replication Manager for MySQL) it ensures that only one node is writeable at a time. Using MySQL MMM an end user can also choose to move their Virtual IP addresses to different servers depending on their replication status.




TALOS-2017-501 - MySQL Multi-Master Manager Remote Command Injection Vulnerability (CVE-2017-14474 - CVE-2017-14481)


Multiple exploitable remote command injection vulnerabilities exist in the MySQL Master-Master Replication Manager (MMM) mmm_agentd daemon 2.2.1. mmm_agentd commonly runs with root privileges and does not require authentication by default.  A specially crafted MMM protocol
message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm_agentd process.  An attacker that can initiate a TCP session with mmm_agentd can trigger these vulnerabilities. Detailed vulnerability information can be found here.

Known vulnerable versions


MMM 2.2.1

http://mysql-mmm.org/

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 45089