CVE-2019-10164 Who's affected and how to protect your systems.


Yesterday, 20th of June Postgres community released minor version updates for all supported versions. (11.4, 10.9, 9.6.14, 9.5.18, 9.4.23, 12Beta2)
As with any minor version, it is recommended to upgrade and keep your database to the latest minor version. But this release is a bit more important 
than others because it includes a fix about a recently discovered CVE (CVE-2019-10164) 
From the release notes:

"This release is made outside of the normal update release schedule as the security
vulnerability was determined to be critical enough to distribute the fix as quickly as possible.
Users who are running PostgreSQL 10, PostgreSQL 11, or the PostgreSQL 12 beta should upgrade as soon as possible."

In this post i'll talk about this CVE. What this all about, who is affected and how to protect your systems against it.


What is this all about.

A system authenticated user could change their own password with a "special crafted password" that could crash your database server or, 
worst case, have the operating system user who owns postgres executing arbitrary code. This is a bug on SCRAM authentication mechanism 
which is why it only affects postgres version 10 and above. Reality is that on some operating systems, for example ubuntu, the default compiler options
should prevent code execution (see here) and since an attack can only happen from a user that is already authenticated, this user, with enough privileges 
could potentially come up with an SQL statement that could DOS or even bring the service down
Of course, this doesn't mean that if you trust your users you shouldn't upgrade, you definitely should.. 
The latest pg versions also fix a second attack in libpq, a library that is extensively used by almost all common postgres clients
psql, psycopg2 and pgadmin4 included. In this attack a user connected from a server that runs software that uses libpq, 
say psycopg2 or psql could crash the client or run arbitrary code by exploiting the SCRAM authentication process. 
In this case the exploitation will happen on the client, not the server.



Upgrade.. do it!

The solution is simple, (always) upgrade to the latest minor version, this CVE is just an extra reason to do so.
Keep in mind that even if you don't use SCRAM, an authenticated user could still exploit this.
To prevent the client side attack you should also upgrade your postgres clients ensuring that you have the latest libpq installed. 
This could be tricky because it might include things that are easy to forget like for example using postgres from AWS lambda 
where you need to compile psycopg2 with the libpq library statically linked. 
In this case you would need to recompile psycopg2 and create a new deployment package.
The easiest way to see the libpq version is to do a psql --version as they have the same version. 
If you have custom software compiled using libpq you can get the version by  invoking
PQlibVersion() in a small program like this :

#include <stdio.h>
#include <libpq-fe.h>

int main() {
    int lib_ver = PQlibVersion();
    printf("libpq version: %d\n", lib_ver);

    return 0;
}

The program above can be compiled like this :
gcc -o pq_version pq_version.c -I/opt/pgsql/pgsql-11.4/include/ -lpq -std=c99
and it should generate an output that looks like this (for 11.4) :
libpq version: 110004

Truth is that if you are using 10 and above, no matter which version you are running, you have to recompile using the new library.
Keep in mind that all the above is for installations that have compiled from source, if you are using packages, your package management system
should take care of everything, all you need to do is upgrade your packages to the latest version ; just be sure to do the upgrades on your client machines
(like web servers or other such machines) as well as the database server this time.
And since i mentioned AWS, Postgres RDS is at 10.7 and 11.2 and Aurora at 10.7 as of today.
I assume that because of the CVE they should be releasing new versions soon, so upgrade the moment they announce something :)



Thanks for reading,
Vasilis Ventirozos
www.credativ.com

Comments

  1. Nice Post
    Yaaron Studios is one of the rapidly growing editing studios in Hyderabad. We are the best Video Editing services in Hyderabad. We provides best graphic works like logo reveals, corporate presentation Etc. And also we gives the best Outdoor/Indoor shoots and Ad Making services.
    Best video editing services in Hyderabad,ameerpet
    Best Graphic Designing services in Hyderabad,ameerpet­
    Best Ad Making services in Hyderabad,ameerpet­

    ReplyDelete

Post a Comment

Popular posts from this blog

Accessing PostgreSQL data from AWS Lambda

Managing xid wraparound without looking like a (mail) chimp

Comparing pg 9.4 with pg 12, CTE edition