CVE CyberSecurity Database News

CVE-2023-22094 - MySQL Installer Vulnerability – What You Need to Know (with Exploit Example)

Poster -

CVE-2023-22094 targets a critical, yet not headline-grabbing part of the Oracle MySQL stack: the MySQL Installer for Windows. In this post, I’ll explain what’s vulnerable, how this flaw can be exploited, and provide unique examples and resources so you can understand (and mitigate) this issue.

What Is CVE-2023-22094?

This vulnerability affects the MySQL Installer (specifically the “Installer: General” component) on Windows systems. Every version before 1.6.8 is at risk. Oracle’s advisory is here:
- Oracle Critical Patch Update Advisory – October 2023

The summary

- An attacker with a low privilege account but with access to the same system as MySQL Installer can exploit this flaw.

Vulnerable versions can be bundled with MySQL Server 8..35 and 5.7.44, before patches.

- The impact? Attackers could create, delete, or modify critical data, or crash the Installer (denial of service).

CVSS 3.1 Score: 7.9 (High)

(Vector: AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H)

Let’s simplify

- Access needed: Attacker must be able to log on to the machine (e.g., any local user or remote desktop user).
- Attack path: By crafting files or manipulating the environment, the attacker “tricks” the user running MySQL Installer into carrying out malicious actions.
- Scope creep: A vulnerable install could impact not just the Installer, but also any products it touches—like your production MySQL databases.

Why Is This Possible?

In these older versions, the Installer did not strictly validate what files it opened, in which locations, or how it handled permissions. During install, upgrade, or configuration, it might run with elevated permissions or touch critical MySQL data/config files.

An administrator logs in and runs MySQL Installer to do an upgrade.

3. The Installer loads, and—because of poor input validation—picks up a malicious file “left behind” by john.

Here’s an example of what the attack code might look like (in pseudo Python for clarity)

import os

# Location MySQL Installer reads from (varies, but often %APPDATA% or %TEMP%)
installer_temp_dir = "C:\\Users\\Public\\AppData\\Local\\Temp"
malicious_config = os.path.join(installer_temp_dir, 'my.ini')

# Attacker drops a payload
with open(malicious_config, "w") as f:
    f.write("[mysqld]\ninnodb_force_recovery=6\n")  # Forces dirty MySQL state

print(f"Malicious my.ini placed at {malicious_config}")

When the admin runs MySQL Installer, it might automatically pick up or merge configuration files from these temp locations (depending on install scenario), executing attacker-controlled MySQL config, which could crash MySQL or corrupt data.

In some even worse cases (if the Installer mishandles .bat/.exe files), privilege escalation or code execution could be possible. Usually, it’s used for destroying or manipulating config/data files.

Original sources

- NVD NIST entry for CVE-2023-22094
- Oracle’s CPU Docs & Patch Details
- MySQL Release Notes

Typical Example – Race Condition

Another typical attack: attacker creates a symlink from an installer temp file to a critical file (like C:\Program Files\MySQL\my.ini). The installer, running as admin, writes or deletes as attacker, thus overwriting config.

Example (run as attacker in Command Prompt)

mklink C:\Users\Public\AppData\Local\Temp\my.ini "C:\Program Files\MySQL\my.ini"

After this, when an admin runs the Installer, they may inadvertently overwrite the real config. (Windows has some symlink restrictions, but there are ways around it.)

Conclusion

CVE-2023-22094 is a reminder: installer packages are juicy targets, even for low-privileged attackers. If you use MySQL on Windows, patch immediately and keep a close eye on who has access (and what’s on) your servers.

References

- NVD Entry for CVE-2023-22094
- Oracle Security Alert – CPU Oct 2023
- MySQL Installer Release Notes

*This write-up is original and tailored for IT professionals and sysadmins working with MySQL on Windows. Always verify the details with your security and IT management teams before acting.*

Timeline

Published on: 10/17/2023 22:15:14 UTC
Last modified on: 10/24/2023 23:46:20 UTC