CVE-2017-14476 – This vulnerability allows remote command inject... (How to Fix)

Q: What is the severity of CVE-2017-14476?

CVE-2017-14476 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote command injection in MySQL Multi-Master Replication Manager (MMM) agent daemon. Attackers can execute arbitrary commands with mmm_agentd process privileges by sending specially crafted TCP messages. Systems running vulnerable MMM versions with mmm_agentd exposed are affected.

📋 TL;DR

This vulnerability allows remote command injection in MySQL Multi-Master Replication Manager (MMM) agent daemon. Attackers can execute arbitrary commands with mmm_agentd process privileges by sending specially crafted TCP messages. Systems running vulnerable MMM versions with mmm_agentd exposed are affected.

💻 Affected Systems

Products:

MySQL Multi-Master Replication Manager (MMM)

Versions: 2.2.1 (specifically for Solaris, but likely affects other platforms)

Operating Systems: Solaris, likely Linux/Unix variants

Default Config Vulnerable: ⚠️ Yes

Notes: Requires mmm_agentd service running and accessible via network.

📦 What is this software?

Mysql Multi Master Replication Manager by Mysql Mmm

View all CVEs affecting Mysql Multi Master Replication Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized command execution allowing privilege escalation, data access, and service disruption.

🟢

If Mitigated

Limited impact if network segmentation prevents access to mmm_agentd port.

🌐 Internet-Facing: HIGH - Directly exploitable via TCP without authentication.

🏢 Internal Only: HIGH - Internal attackers can exploit if they reach the service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires network access to mmm_agentd port (default 9988).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.2 or later

Vendor Advisory: https://github.com/mysql-mmm/mysql-mmm

Restart Required: Yes

Instructions:

1. Stop mmm_agentd service. 2. Update MMM to version 2.2.2+. 3. Restart mmm_agentd service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to mmm_agentd port (default 9988) using firewall rules.

iptables -A INPUT -p tcp --dport 9988 -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="9988" accept'

🧯 If You Can't Patch

Implement strict network ACLs to limit access to mmm_agentd port to trusted hosts only.
Monitor network traffic to mmm_agentd port for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check MMM version: mmm --version or check package manager. If version is 2.2.1 or earlier, system is vulnerable.

Check Version:

mmm --version 2>/dev/null || rpm -qa | grep -i mmm || dpkg -l | grep -i mmm

Verify Fix Applied:

Verify MMM version is 2.2.2 or later and test that mmm_agentd service is running without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual commands in mmm_agentd logs
Failed authentication attempts to mmm_agentd

Network Indicators:

Unexpected TCP connections to port 9988
Suspicious payloads in network traffic to mmm_agentd

SIEM Query:

source="mmm_agentd.log" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2017-14476

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: May 9, 2018

Last Updated: November 21, 2024

🔗 References

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0501 Exploit,Technical Description,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0501 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-14476, you might also want to check these: