Warning: PostgreSQL Relation Replacement During pg_dump Executes Arbitrary SQL, Patch Immediately!
CVE-2024-7348: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
PostgreSQL: https://www.postgresql.org/support/security/CVE-2024-7348/
Risks
A vulnerability has been discovered in PostgreSQL, a popular open source relational database management system, which allows attackers to execute arbitrary SQL functions.
The exploitation of this vulnerability has a high impact on Confidentiality, Integrity, and Availability.
Description
This vulnerability is a Time-of-check Time-of-use (TOCTOU) race condition in the pg_dump process. An attacker could exploit this by replacing another relation type with a view or foreign table, allowing them to execute arbitrary SQL functions, as the user pg_dump is often a superuser.
The attack requires precise timing to coincide with the start of pg_dump, but the race condition is easily won if the attacker maintains an open transaction.
Potential sequence of attack:
- An attacker creates a non-temporary object in the database.
- Before the pg_dump process begins, the attacker replaces this object with another one that contains malicious SQL code.
- When pg_dump attempts to back up the database, it executes the injected SQL code.
It's important to note that the protection is only active if both pg_dump and the server are updated to the versions containing the fix.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
PostgreSQL: https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/
Vulert: https://vulert.com/vuln-db/CVE-2024-7348
Xatia.io: https://xata.io/blog/cve-2024-7348-postgres-upgrade