CVE-2020-15180
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on MariaDB Galera cluster nodes through command injection in the wsrep_sst_method parameter. It affects MariaDB with the mysql-wsrep component before specific versions, threatening confidentiality, integrity, and availability of database systems.
💻 Affected Systems
- MariaDB with mysql-wsrep component
- Percona XtraDB Cluster
📦 What is this software?
Mariadb by Mariadb
Mariadb by Mariadb
Mariadb by Mariadb
Mariadb by Mariadb
Mariadb by Mariadb
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of database cluster nodes leading to data theft, destruction, or ransomware deployment across the entire cluster.
Likely Case
Unauthorized command execution on database servers leading to data exfiltration, privilege escalation, or lateral movement within the network.
If Mitigated
Limited impact due to network segmentation and proper access controls preventing remote exploitation.
🎯 Exploit Status
Exploitation requires network access to vulnerable MariaDB instances. Public proof-of-concept code exists demonstrating the command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MariaDB 10.1.47, 10.2.34, 10.3.25, 10.4.15, 10.5.6 or later
Vendor Advisory: https://mariadb.com/kb/en/cve-2020-15180/
Restart Required: Yes
Instructions:
1. Stop MariaDB service. 2. Backup databases. 3. Upgrade to patched version using package manager (apt/yum). 4. Restart MariaDB service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to MariaDB Galera cluster ports (default 4567, 4568, 4444) to trusted hosts only.
iptables -A INPUT -p tcp --dport 4567 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 4567 -j DROP
Disable wsrep_sst_method Remote Configuration
allPrevent remote configuration of wsrep_sst_method by removing or restricting SET GLOBAL wsrep_sst_method privileges.
REVOKE SUPER ON *.* FROM 'user'@'%';
REVOKE SYSTEM_VARIABLES_ADMIN ON *.* FROM 'user'@'%';
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MariaDB Galera cluster from untrusted networks
- Apply principle of least privilege to database user accounts and remove unnecessary privileges
🔍 How to Verify
Check if Vulnerable:
Check MariaDB version and wsrep status: SHOW VARIABLES LIKE 'version%'; SHOW VARIABLES LIKE 'wsrep%';Check Version:
mysql -V or SELECT VERSION();Verify Fix Applied:
Verify version is patched: SELECT VERSION(); and confirm it's 10.1.47+, 10.2.34+, 10.3.25+, 10.4.15+, or 10.5.6+📡 Detection & Monitoring
Log Indicators:
- Unusual commands in MariaDB error logs
- Unexpected process execution from mysql user
- Failed authentication attempts followed by wsrep_sst_method changes
Network Indicators:
- Unusual traffic to MariaDB Galera ports (4567, 4568, 4444) from unexpected sources
- Command injection patterns in network traffic
SIEM Query:
source="mariadb.log" AND ("wsrep_sst_method" OR "command injection" OR "unauthorized SET GLOBAL")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1894919
- https://lists.debian.org/debian-lts-announce/2020/10/msg00021.html
- https://security.gentoo.org/glsa/202011-14
- https://www.debian.org/security/2020/dsa-4776
- https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/
- https://bugzilla.redhat.com/show_bug.cgi?id=1894919
- https://lists.debian.org/debian-lts-announce/2020/10/msg00021.html
- https://security.gentoo.org/glsa/202011-14
- https://www.debian.org/security/2020/dsa-4776
- https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/
