Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

09:36 PM
Connect Directly

Patch PostgreSQL To Prevent DoS Or Privilege Escalation

New update addresses critical vulnerabilities in Postgres

A new critical vulnerability patched by PostgreSQL late last week may sound scarier than its actual potential enterprise impact, but security researchers recommend enterprises nevertheless put the patch in the deployment queue, especially if they use Postgres for any mission-critical systems.

Released by the PostgreSQL Global Development Group, the update patches five vulnerabilities in Postgres versions 8.4.x and above.

"The most serious of the flaws allows an unauthenticated attacker to write data to any accessible file on your Postgres server, including critical database files," wrote Corey Nachreiner, director of security strategy for WatchGuard. "The Postgres folks call this a Denial of Service (DoS) attack, but I think it’s a bit worse than that, since it can also allow attackers to corrupt your database files."

The catch is that this can be done only if the organization has allowed external access to the Postgres system.

"This is a connect time vulnerability, not a runtime type of thing. I've got to be able to actually start a connection to the database, and you can almost never do that with SQL injection," says Josh Shaul, CTO for Application Security Inc. "Your outside attacker without any access to the network is probably not going to be able to exploit this."

However, there is more than one way to skin a cat -- or to compromise a Postgres database.

"This bug may be exploitable after for example compromising a web server with a Postgresql backend," wrote Johannes Ullrich of SANS Institute. "A simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used."

[Why isn't DAM taking hold in the enterprise? See Five Hurdles That Slow Database Security Adoption.]

Even more troubling, if attackers can get their hands on a login to the server, then they can exploit the flaw to elevate privileges and execute arbitrary code. However, Shaul believes there are enough mitigating factors to make this a difficult-to-exploit vulnerability.

"There's also a very scary-sounding privilege escalation component to this where if the sun and the moon and the stars all align, you can run commands as the root administrator," Shaul says, "but it just seems like a combination of events that is very unlikely."

Across most enterprises, Postgres deployments are "generally few and far between," according to Shaul, who says that as a result, it has generally flown under the radar of security researchers hunting for database bugs. However, there are some notable signals of Postgres progress at large organizations.

For example, Skype, Instagram, and Sony Online Entertainment all depend on Postgres, and last fall, Salesforce jump-started the rumor mill about its potential defection to the platform when it went on a hiring binge to snap up Postgres experts. And this current vulnerability discovery process offers indications that the open-source community may be accelerating research into fixable Postgres flaws. The current discovery was made within online cloud service Heroku by two Japanese researchers of the NTT Open Source Software Center.

Regardless of platforms, database patching practices continue to lag within most enterprises, says Anu Yamunan, senior product manager at Imperva.

"Unfortunately, organizations often struggle to stay on top of maintaining database configurations, even when patches are available," she says. "Until the databases are patched, they remain vulnerable; however, it generally takes organizations months to patch databases once a patch is available."

She reports that many organizations are increasingly turning to "virtual patching" of database systems by depending on third-party database security systems to institute security rules that mitigate risk of exploitation until a patch is made. Similarly, activity monitoring is also an arrow in the risk mitigation quiver to pinpoint potentially fraudulent activity on vulnerable systems.

"In cases where an attacker exploits a known vulnerability and escalates privileges, any deviant behavior, [such as] excessive queries to sensitive data, is identified and blocked by database audit and real-time protection solutions," Yamunan says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
PUBLISHED: 2020-02-25
Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
PUBLISHED: 2020-02-25
Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker ...