CVE-2023-39593 - Insecure Permissions in MariaDB sys

CVE-2023-39593 is a security issue that caused a buzz in the MariaDB user community. This potential vulnerability is about how the sys_exec function in MariaDB version 10.5 may allow authenticated users to execute system commands at an elevated privilege level. However, it’s important to note that the MariaDB Foundation disputes that this constitutes a real vulnerability, arguing that “no privilege boundary is crossed.” In this post, I’ll break down what this CVE is, how it could be abused, show a real example of exploitation, and clarify what makes it controversial.

What Is MariaDB and sys_exec?

MariaDB is a popular open-source relational database management system. Many apps and sites use it to store data. One feature in MariaDB is the sys_exec function, which lets users run commands directly on the server’s operating system.

-- Example use of sys_exec in MariaDB
SELECT sys_exec('ls -la /tmp');

Normally, running system commands from a database function is risky and requires strict permission checks.

Affected Version: MariaDB ≤ 10.5.23

- Summary: Authenticated MariaDB users with access to sys_exec could run arbitrary operating system commands with the database server’s privileges.
- Risk: This could allow someone to read sensitive files, install malware, or take over the server, *if* they have the required access.
- Original Advisory: GitHub Security Advisory GHSA-w82w-7mr3-v9v5
- Dispute Note: The MariaDB Foundation’s bug tracker says there isn’t a privilege boundary because only people with privileges for sys_exec can use it.

Proof of Concept: How This Could Be Exploited

To see how this works in practice, here’s a simple example. Let’s pretend you have a low-privileged user called reportuser who somehow has access to the sys_exec function.

Step 1: Permissions (Done by DBA or via misconfiguration)

-- As an admin, grant EXECUTE on sys_exec (should NOT be done lightly)
GRANT EXECUTE ON FUNCTION sys.sys_exec TO 'reportuser'@'%';

Step 2: Attacker Executes Arbitrary Command

-- Attacker logs in and runs:
SELECT sys_exec('id > /tmp/mariadb_privs.txt');

This command writes details about the process owner (the id command in Linux) into a file in /tmp. The system will run this as the database server’s user (often mysql). An attacker could use this access for other attacks, like creating reverse shells, installing scripts, or extracting secrets.

MariaDB Foundation disputes this as a true vulnerability. Their core argument

> “If a user has been given EXECUTE privileges for sys_exec, they're already trusted on the system, so no additional privilege boundary is crossed.”

In other words, anyone who can use sys_exec can already run system commands by design. This is not so much a *vulnerability* as a dangerous feature available to trusted users.

More on their position:
- Jira thread: MDEV-30875
- Community discussion: Red Hat Bugzilla #2223855

**Never grant sys_exec to untrusted users.**

The only people who should ever have EXECUTE access on sys_exec are database admins who already have root SSH access.

Final Thoughts and References

This CVE is a good reminder that database features with operating system access are risky and demand careful handling. Even though MariaDB Foundation doesn’t see this as a vulnerability, in the real world, misconfiguration happens all the time. Like with xp_cmdshell in SQL Server, you should lock down sys_exec tight.

Original References

- Official CVE record: CVE-2023-39593
- MariaDB Jira - MDEV-30875
- GitHub Advisory Database: GHSA-w82w-7mr3-v9v5
- Red Hat Bugzilla #2223855

In summary: If your MariaDB server allows sys_exec to be called by anyone you don’t fully trust, you’ve got a *genuine security risk*, whether or not it crosses an “official” privilege boundary.

Stay safe! Double check those grants, and remember: what your database can run, anyone with private access to it can probably run too!

Timeline

Published on: 10/17/2024 22:15:02 UTC
Last modified on: 10/21/2024 00:15:12 UTC