4.4 Harden Usage for 'local_infile' on MariaDB Clients

Information

The local_infile parameter dictates whether files located on the MariaDB client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file.

Rationale:

For MariaDB client programs and connectors prior to 10.2.0, disabling local_infile reduces an attacker's ability to read sensitive files off the affected server via an SQL injection vulnerability.

Impact:

Disabling local_infile will impact the functionality of solutions that rely on it.

Solution

Upgrade all MariaDB clients and connectors to 10.2.0 or higher.
In the case where using local_infile is needed, the following changes further harden security:
On client side, secure by:
Limiting the location from where data can be read using --load-data-local-dir.

mariadb --local-infile=0 --load-data-local-dir=/my/local/data

Adding TLS connection to assure server identity by requiring verification.

mariadb --local-infile=0 --load-data-local-dir=/my/local/data --ssl-mode=VERIFY_IDENTITY

If local_infile is not in use or if clients are not upgraded - add the following line to the [mariadbd] section of the MySQL configuration file and restart the MariaDB service:

local-infile=0

Default Value:

0 (OFF)

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|4.7

Plugin: Unix

Control ID: a06b3c58f1e1913fac9f4af66d230cdc243394db85076a6f4a9ea1c956fa53ba