Patch PostgreSQL To Prevent DoS Or Privilege Escalation
New update addresses critical vulnerabilities in Postgres
April 8, 2013
A new critical vulnerability patched by PostgreSQL late last week may sound scarier than its actual potential enterprise impact, but security researchers recommend enterprises nevertheless put the patch in the deployment queue, especially if they use Postgres for any mission-critical systems.
Released by the PostgreSQL Global Development Group, the update patches five vulnerabilities in Postgres versions 8.4.x and above.
"The most serious of the flaws allows an unauthenticated attacker to write data to any accessible file on your Postgres server, including critical database files," wrote Corey Nachreiner, director of security strategy for WatchGuard. "The Postgres folks call this a Denial of Service (DoS) attack, but I think it’s a bit worse than that, since it can also allow attackers to corrupt your database files."
The catch is that this can be done only if the organization has allowed external access to the Postgres system.
"This is a connect time vulnerability, not a runtime type of thing. I've got to be able to actually start a connection to the database, and you can almost never do that with SQL injection," says Josh Shaul, CTO for Application Security Inc. "Your outside attacker without any access to the network is probably not going to be able to exploit this."
However, there is more than one way to skin a cat -- or to compromise a Postgres database.
"This bug may be exploitable after for example compromising a web server with a Postgresql backend," wrote Johannes Ullrich of SANS Institute. "A simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used."
[Why isn't DAM taking hold in the enterprise? See Five Hurdles That Slow Database Security Adoption.]
Even more troubling, if attackers can get their hands on a login to the server, then they can exploit the flaw to elevate privileges and execute arbitrary code. However, Shaul believes there are enough mitigating factors to make this a difficult-to-exploit vulnerability.
"There's also a very scary-sounding privilege escalation component to this where if the sun and the moon and the stars all align, you can run commands as the root administrator," Shaul says, "but it just seems like a combination of events that is very unlikely."
Across most enterprises, Postgres deployments are "generally few and far between," according to Shaul, who says that as a result, it has generally flown under the radar of security researchers hunting for database bugs. However, there are some notable signals of Postgres progress at large organizations.
For example, Skype, Instagram, and Sony Online Entertainment all depend on Postgres, and last fall, Salesforce jump-started the rumor mill about its potential defection to the platform when it went on a hiring binge to snap up Postgres experts. And this current vulnerability discovery process offers indications that the open-source community may be accelerating research into fixable Postgres flaws. The current discovery was made within online cloud service Heroku by two Japanese researchers of the NTT Open Source Software Center.
Regardless of platforms, database patching practices continue to lag within most enterprises, says Anu Yamunan, senior product manager at Imperva.
"Unfortunately, organizations often struggle to stay on top of maintaining database configurations, even when patches are available," she says. "Until the databases are patched, they remain vulnerable; however, it generally takes organizations months to patch databases once a patch is available."
She reports that many organizations are increasingly turning to "virtual patching" of database systems by depending on third-party database security systems to institute security rules that mitigate risk of exploitation until a patch is made. Similarly, activity monitoring is also an arrow in the risk mitigation quiver to pinpoint potentially fraudulent activity on vulnerable systems.
"In cases where an attacker exploits a known vulnerability and escalates privileges, any deviant behavior, [such as] excessive queries to sensitive data, is identified and blocked by database audit and real-time protection solutions," Yamunan says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like