CVE-2021-27928 Overview
A remote code execution vulnerability was discovered in MariaDB that allows an attacker with SUPER user privileges to execute arbitrary operating system commands. The flaw exists due to an untrusted search path that leads to eval injection when a database SUPER user modifies the wsrep_provider and wsrep_notify_cmd configuration parameters. This vulnerability affects multiple versions of MariaDB, Percona Server, and the wsrep patch for MySQL.
Critical Impact
Attackers with database SUPER privileges can achieve full remote code execution on the underlying operating system, potentially leading to complete system compromise.
Affected Products
- MariaDB 10.2 before 10.2.37
- MariaDB 10.3 before 10.3.28
- MariaDB 10.4 before 10.4.18
- MariaDB 10.5 before 10.5.9
- Percona Server through 2021-03-03
- wsrep patch for MySQL through 2021-03-03
- Debian Linux 9.0
Discovery Timeline
- 2021-03-19 - CVE-2021-27928 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-27928
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Code Injection) and enables authenticated attackers to break out of the database context and execute commands at the operating system level. The flaw stems from insufficient validation of the wsrep_provider and wsrep_notify_cmd system variables within MariaDB's Galera Cluster replication implementation. When a user with SUPER privileges modifies these configuration parameters, the database server evaluates and executes the provided paths without proper sanitization, allowing arbitrary command injection.
The attack requires network access and high privileges (SUPER user role), but once these conditions are met, exploitation is straightforward. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause lies in the untrusted search path vulnerability within MariaDB's handling of the wsrep (Write Set REPlication) configuration parameters. The wsrep_provider parameter specifies the path to the Galera library, and wsrep_notify_cmd specifies a command to be executed on cluster state changes. The database server fails to properly validate these parameters before evaluation, allowing malicious paths or commands to be injected and executed with the privileges of the MariaDB process.
Attack Vector
The attack is network-accessible and can be exploited remotely by any user who has obtained SUPER privileges on the MariaDB database. The attacker modifies the wsrep_provider or wsrep_notify_cmd variables to point to a malicious shared library or command script. When the database server processes these configuration changes, it evaluates the malicious input, resulting in arbitrary code execution at the operating system level.
The vulnerability can be exploited by setting wsrep_provider to a malicious .so file path or by injecting shell commands through the wsrep_notify_cmd parameter. The commands execute with the same privileges as the MariaDB database process, typically as the mysql user, which could allow further privilege escalation depending on the system configuration.
Detection Methods for CVE-2021-27928
Indicators of Compromise
- Unexpected modifications to wsrep_provider or wsrep_notify_cmd system variables in MariaDB configuration
- Suspicious .so files appearing in non-standard directories referenced by database configuration
- Unusual process spawning from the MariaDB/MySQL daemon process
- Database audit logs showing SET GLOBAL commands modifying wsrep-related parameters
Detection Strategies
- Monitor database audit logs for SET GLOBAL statements targeting wsrep_provider or wsrep_notify_cmd
- Implement file integrity monitoring on directories containing Galera libraries and the MariaDB installation
- Use endpoint detection to identify child processes spawned by the MariaDB daemon that execute unexpected commands
- Review database user privileges and alert on accounts with SUPER privilege that are not explicitly authorized
Monitoring Recommendations
- Enable MariaDB audit plugin to log all privilege changes and configuration modifications
- Configure SIEM alerts for database configuration changes involving wsrep parameters
- Monitor for network connections originating from the MariaDB process to unexpected destinations
- Implement process monitoring to detect command injection attempts from database service accounts
How to Mitigate CVE-2021-27928
Immediate Actions Required
- Upgrade MariaDB to patched versions: 10.2.37, 10.3.28, 10.4.18, or 10.5.9 or later
- Audit all database accounts with SUPER privileges and revoke where not strictly necessary
- Review and restrict network access to database servers using firewall rules
- Implement principle of least privilege for database user accounts
Patch Information
MariaDB has released security patches addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- MariaDB 10.2: Upgrade to version 10.2.37 or later (Release Notes)
- MariaDB 10.3: Upgrade to version 10.3.28 or later (Release Notes)
- MariaDB 10.4: Upgrade to version 10.4.18 or later (Release Notes)
- MariaDB 10.5: Upgrade to version 10.5.9 or later (Release Notes)
For Percona Server and wsrep patch users, consult your vendor for updated packages. Debian users should refer to the Debian LTS Security Announcement for package updates.
Additional technical details are available in the MariaDB MDEV-25179 Ticket and the Packet Storm Command Execution Exploit advisory.
Workarounds
- Restrict SUPER privileges to only essential administrative accounts and audit their usage
- Use SELinux or AppArmor to confine the MariaDB process and limit its ability to execute external commands
- Implement network segmentation to limit exposure of database servers to untrusted networks
- Configure read-only mode for wsrep_provider by using configuration file settings rather than runtime variables where possible
# Example: Restrict database privileges and verify wsrep configuration
# Check for users with SUPER privilege
mysql -e "SELECT user, host FROM mysql.user WHERE Super_priv='Y';"
# Verify current wsrep settings
mysql -e "SHOW VARIABLES LIKE 'wsrep%';"
# Ensure wsrep_provider points to legitimate Galera library only
# /usr/lib/galera/libgalera_smm.so (typical legitimate path)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
