In an emergency order issued unscheduled corrective updates for all supported versions PostgreSQL: 9.2.4, 9.1.9, 9.0.13 and 8.4.17, which eliminated the five vulnerabilities, one of which is recognized as critically dangerous. All users of PostgreSQL 9.x should implement immediately update database. Also for the general increase in security infrastructure developers PostgreSQL advised to make sure that outsiders subnets was denied access to the network port on PostgreSQL.
Critically dangerous vulnerability (SVE-2013-1899) is shown only in the versions 9.x and allows to initiate damage to the files in the directory with the data in PostgreSQL sending a specially malformed requests for connection to the server, which appears the name of the base, starting with the character “-” ( database name is treated as an option for single-user recovery, availability of such a database on the server is not required.) For their attacks enough access to the network port on PostgreSQL, the presence of a database account is not required.
Noted three main scenarios exploitation:
– The attacker can initiate adding text PostgreSQL error in the tail of existing files in the directory “data”, which could lead to the collapse of the DBMS and can not be restarted without manual removal of files added to the “tail”;
– This can be exploited to gain escalated privileges, if he already has an account in the database and username matches the name of the database by setting the configuration, which will give him root access to the DBMS;
– This can be exploited to execute arbitrary code on the server, if it already has an account in the database, the login name matches the name of the database and has the option to save the file to the server file system (in that number in the directory / tmp). Active SELinux protects against this type of operation.
The description of less dangerous problems corrected in new releases of PostgreSQL:
– CVE-2013-1900 – allows you to guess the value of the random numbers generated by the function contrib / pgcrypto to other users;
– CVE-2013-1901 – allows an unprivileged user to execute commands that can affect the contents of the currently executing a backup;
– CVE-2013-1902 – evident in the graphical installer EnterpriseDB for Linux and Mac OS X temporary files with predictable names in a directory / tmp;
– CVE-2013-1903 – is shown in an unsafe gear installer password superpolzvoatelya EnterpriseDB database in one of the scripts.
Released updates also include the correction of errors that affect stability. Including by addressing a series of problems in managing indexes GiST, which may require an operation REINDEX for such indices.
Multiple vulnerabilities in PostgreSQL
If the Patch: Yes
Number of vulnerabilities: 3
Vector 0f operation: Local Network
Impact: Brute-force attack, Denial of service, Security Bypass
Affected products and versions:
– PostgreSQL 8.x;
– PostgreSQL 9.x.
Which can be exploited by malicious people to bypass certain security restrictions on the target system.
1. An error in processing the command line switches. A remote user via a specially crafted request to connect to injure or destroy files and cause a denial of service.
Note: Vulnerability № 1 extends to product versions prior to 9.2.4, 9.1.9 and 9.0.13.
2. An error when using the contrib / pgcrypto. Encryption can be less reliable than expected.
Note: Successful exploitation postmaster in value ssl should be on. Vulnerability applies to product versions prior to 9.2.4, 9.1.9, 9.0.13, and 8.4.17.
3. An error in the main server component associated with improper checking privileges REPLICATION. A remote user can call pg_start_backup () or pg_stop_backup () and stop backups.
Note: Vulnerability number 3 applies to product versions prior to 9.2.4 and 9.1.9.
The manufacturer also says that there are two holes in the graphical installer for Linux and Mac OS X. This can be exploited to disclose the symbolic link root password.
Critical vulnerabilities in PostgreSQL … Read more
PostgreSQL 9.2.4, 9.1.9, 9.0.13 and 8.4.17 released … Read more