Vulnerability
Affected software: MySQL Governor versions below 1.2-46
MySQL Governor keeps semaphores in /dev/shm/ directory which is accessible from within CageFS. User can execute mkdir /dev/shm/sem.governor_bad_users_list_sem in a loop and wait for MySQL Governor to restart e.g. during update. If user wins a race, then directory is created and MySQL Governor can no longer be started due to segment violation error.
Exploit
$ while true; do mkdir /dev/shm/sem.governor_bad_users_list_sem; doneSolution
Update MySQL Governor to version 1.2-46 or later.
Timeline
- 2019-07-16 - Vulnerability reported to vendor.
- 2019-07-16 - Response from vendor.
- 2019-08-01 - Beta version 1.2-46 of MySQL Governor released with MYSQLG-410 vulnerability fixed.
- 2019-08-19 - Production version 1.2-46 of MySQL Governor released with MYSQLG-410 vulnerability fixed.