Information Regarding 1-Click Credentials
Incident Report for DigitalOcean
A security vulnerability has been identified affecting Ubuntu or Debian-based Droplets with MySQL installed via 1-Click deployments, including:

- PHPMyAdmin
- OwnCloud
- Ghost
- WordPress

During the installation of MySQL, the debian-sys-maint MySQL user was created by the Ubuntu packaging, and our build process did not change debian-sys-maint's default password. Users who did not change the debian-sys-maint password in "/etc/mysql/debian.cnf" and in MySQL for the deployed 1-Click database instances are not secure.

- The debian-sys-maint passwords are not unique. If your password remained unchanged after install, your MySQL database is not secure.
- MySQL and PHPMyAdmin 1-Clicks are remotely exploitable unless action has been taken to change the default password.
- LAMP, LEMP, WordPress and OwnCloud 1-Clicks are locally exploitable.
- If you have installed PHPMyAdmin or another program that provides proxy access to MySQL, then your 1-Click is likely remotely exploitable.

We have notified the customers who were most likely impacted by this vulnerability. We have also implemented a patch, so that moving forward, all deployed instances using these 1-Clicks will have custom generated passwords per instance. All 1-Clicks with MySQL created on or after September 18, 2017 now change the debian-sys-maint user during the first-boot process.

As part of our discovery process for this issue, we identified that other Cloud providers and third-party Marketplaces are affected. We strongly advise that users check all pre-installed MySQL instances on Debian/Ubuntu for this issue.

If you have not updated your credentials upon install, we recommend doing so now. To easily change the debian-sys-maint credentials, we have provided a script[1], which will ensure that your MySQL database is not accessible with default credentials. You may also simply redeploy using the newly patched 1-Clicks. If you changed the debian-sys-maint MySQL user credentials upon install, you are not impacted by this vulnerability and no action is required.

Posted Sep 21, 2017 - 12:00 UTC