The maintainers of the PostgreSQL database software have patched a security vulnerability, which, in some very limited circumstances, could be used to run arbitrary code on vulnerable servers. The vulnerability, which affects versions 9.0, 9.1 and 9.2, also can be used to cause a denial-of-service by any remote attacker.
The PostgreSQL team released the patch for this CVE-2013-1899 vulnerability on Thursday and recommended that users of affected versions update their installations immediately. The team said that it was not aware of any public exploits for the PostgreSQL vulnerability at this point.
“Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable. Users whose servers are only accessible on protected internal networks, or who have effective firewalling or other network access restrictions, are less vulnerable,” the security advisory says.
The most likely attack scenario involves an unauthenticated remote attacker using the bug to cause the DoS condition on a vulnerable server. In that case, the vulnerable server may either crash or fail to restart.
“An unauthenticated attacker may use this vulnerability to cause PostgreSQL error messages to be appended to targeted files in the PostgreSQL data directory on the server. Files corrupted in this way may cause the database server to crash, and to refuse to restart. The database server can be fixed either by editing the files and removing the garbage text, or restoring from backup,” the advisory says.
In the code-execution scenario, the attacker would need to have valid credentials on the PostgreSQL server and the server would need to have the same name as the user.
“If the attacker meets all of the qualifications under 2 above, and has the ability to save files to the filesystem as well (even to the tmp directory), then they can use the vulnerability to load and execute arbitrary C code. SELinux will prevent this specific type of exploit,” the advisory says.