BUG #15731: CVE-2019-9193

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

BUG #15731: CVE-2019-9193

PG Bug reporting form
The following bug has been logged on the website:

Bug reference:      15731
Logged by:          Abhijit Rajwade
Email address:      [hidden email]
PostgreSQL version: 11.2
Operating system:   Linux
Description:        

Sonatype Nexus Audior is reporting the following Threat level 9
vulnerability on Postgres

Vulnerability

Issue CVE-2019-9193
Severity Sonatype CVSS 3.0: 9.8
Weakness Sonatype CWE: 94
Source National Vulnerability Database
Categories Data

Description

Description from CVE
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
superusers and users in the 'pg_read_server_files' group to execute
arbitrary code in the context of the database's operating system user. This
functionality is enabled by default and can be abused to run arbitrary
operating system commands on Windows, Linux, and macOS.

Root Cause
postgresql-42.2.5.jar : [9.3, )

Advisories
    Third Party:
https://github.com/iiiusky/vulhub/commit/88c8816c6f8825030ade34c63c745757ca818fc0#diff-ceb08c22f5e392636bdb77b8562ce0fd
    Third Party:
https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

CVSS Details
    Sonatype CVSS 3.0: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Can you please have the above Security vulnerability fixed?

--- Abhijit Rajwade

Reply | Threaded
Open this post in threaded view
|

Re: BUG #15731: CVE-2019-9193

Magnus Hagander-2
This is not a security vulnerability in the product. It is behaving exactly as intended. It may be misconfigured in some deployments, but it's not a product vulnerability.

/Magnus 


On Wed, Apr 3, 2019, 09:39 PG Bug reporting form <[hidden email]> wrote:
The following bug has been logged on the website:

Bug reference:      15731
Logged by:          Abhijit Rajwade
Email address:      [hidden email]
PostgreSQL version: 11.2
Operating system:   Linux
Description:       

Sonatype Nexus Audior is reporting the following Threat level 9
vulnerability on Postgres

Vulnerability

Issue CVE-2019-9193
Severity Sonatype CVSS 3.0: 9.8
Weakness Sonatype CWE: 94
Source National Vulnerability Database
Categories Data

Description

Description from CVE
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
superusers and users in the 'pg_read_server_files' group to execute
arbitrary code in the context of the database's operating system user. This
functionality is enabled by default and can be abused to run arbitrary
operating system commands on Windows, Linux, and macOS.

Root Cause
postgresql-42.2.5.jar : [9.3, )

Advisories
    Third Party:
https://github.com/iiiusky/vulhub/commit/88c8816c6f8825030ade34c63c745757ca818fc0#diff-ceb08c22f5e392636bdb77b8562ce0fd
    Third Party:
https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

CVSS Details
    Sonatype CVSS 3.0: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Can you please have the above Security vulnerability fixed?

--- Abhijit Rajwade

Reply | Threaded
Open this post in threaded view
|

RE: Re: BUG #15731: CVE-2019-9193

Rajwade, Abhijit

Magnus,

 

If this is mis-configured, can you please advise what configuration is needed to prevent this vulnerability?

 

Thx & Regards

--- Abhijit Rajwade

 

From: Magnus Hagander [mailto:[hidden email]]
Sent: Wednesday, April 03, 2019 1:13 PM
To: Rajwade, Abhijit; [hidden email]
Subject: [EXTERNAL] Re: BUG #15731: CVE-2019-9193

 

This is not a security vulnerability in the product. It is behaving exactly as intended. It may be misconfigured in some deployments, but it's not a product vulnerability.

 

/Magnus 

 

On Wed, Apr 3, 2019, 09:39 PG Bug reporting form <[hidden email]> wrote:

The following bug has been logged on the website:

Bug reference:      15731
Logged by:          Abhijit Rajwade
Email address:      [hidden email]
PostgreSQL version: 11.2
Operating system:   Linux
Description:       

Sonatype Nexus Audior is reporting the following Threat level 9
vulnerability on Postgres

Vulnerability

Issue CVE-2019-9193
Severity Sonatype CVSS 3.0: 9.8
Weakness Sonatype CWE: 94
Source National Vulnerability Database
Categories Data

Description

Description from CVE
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
superusers and users in the 'pg_read_server_files' group to execute
arbitrary code in the context of the database's operating system user. This
functionality is enabled by default and can be abused to run arbitrary
operating system commands on Windows, Linux, and macOS.

Root Cause
postgresql-42.2.5.jar : [9.3, )

Advisories
    Third Party:
https://github.com/iiiusky/vulhub/commit/88c8816c6f8825030ade34c63c745757ca818fc0#diff-ceb08c22f5e392636bdb77b8562ce0fd
    Third Party:
https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

CVSS Details
    Sonatype CVSS 3.0: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Can you please have the above Security vulnerability fixed?

--- Abhijit Rajwade

Reply | Threaded
Open this post in threaded view
|

Re: Re: BUG #15731: CVE-2019-9193

Magnus Hagander-2
It's absolutely trivial. Don't run as superuser, done.

Again, there is no vulnerability to prevent from. If you explicitly allow superusers to log in remotely, they can do superuser things. Just like if you allow "root" to ssh in remotely, people can use that to ssh in as "root" and do root level things like delete your files.

(The report is of course also simply factually incorrect, because the pg_read_server_files role has exactly nothing to do with it. Which is also clearly documented. And you can even tell from the name that it's about reading files)

You can read some more at https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/ -- which also quotes some relevant parts of the documentation.

//Magnus

On Wed, Apr 3, 2019 at 9:47 AM Rajwade, Abhijit <[hidden email]> wrote:

Magnus,

 

If this is mis-configured, can you please advise what configuration is needed to prevent this vulnerability?

 

Thx & Regards

--- Abhijit Rajwade

 

From: Magnus Hagander [mailto:[hidden email]]
Sent: Wednesday, April 03, 2019 1:13 PM
To: Rajwade, Abhijit; [hidden email]
Subject: [EXTERNAL] Re: BUG #15731: CVE-2019-9193

 

This is not a security vulnerability in the product. It is behaving exactly as intended. It may be misconfigured in some deployments, but it's not a product vulnerability.

 

/Magnus 

 

On Wed, Apr 3, 2019, 09:39 PG Bug reporting form <[hidden email]> wrote:

The following bug has been logged on the website:

Bug reference:      15731
Logged by:          Abhijit Rajwade
Email address:      [hidden email]
PostgreSQL version: 11.2
Operating system:   Linux
Description:       

Sonatype Nexus Audior is reporting the following Threat level 9
vulnerability on Postgres

Vulnerability

Issue CVE-2019-9193
Severity Sonatype CVSS 3.0: 9.8
Weakness Sonatype CWE: 94
Source National Vulnerability Database
Categories Data

Description

Description from CVE
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
superusers and users in the 'pg_read_server_files' group to execute
arbitrary code in the context of the database's operating system user. This
functionality is enabled by default and can be abused to run arbitrary
operating system commands on Windows, Linux, and macOS.

Root Cause
postgresql-42.2.5.jar : [9.3, )

Advisories
    Third Party:
https://github.com/iiiusky/vulhub/commit/88c8816c6f8825030ade34c63c745757ca818fc0#diff-ceb08c22f5e392636bdb77b8562ce0fd
    Third Party:
https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

CVSS Details
    Sonatype CVSS 3.0: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Can you please have the above Security vulnerability fixed?

--- Abhijit Rajwade