www.belgium.be Logo of the federal government

Warning: PostgreSQL Relation Replacement During pg_dump Executes Arbitrary SQL, Patch Immediately!

Reference: 
Advisory #2024-200
Version: 
1.0
Affected software: 
PostgreSQL 16.x prior to 16.4
PostgreSQL 15.x prior to 15.8
PostgreSQL 14.x prior to 14.13
PostgreSQL 13.x prior to 13.16
PostgreSQL 12.x prior to 12.20
Type: 
Arbitrary SQL Execution
CVE/CVSS: 

CVE-2024-7348: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Datum: 
13/08/2024

Sources

PostgreSQL: https://www.postgresql.org/support/security/CVE-2024-7348/

Risks

A vulnerability has been discovered in PostgreSQL, a popular open source relational database management system, which allows attackers to execute arbitrary SQL functions.

The exploitation of this vulnerability has a high impact on Confidentiality, Integrity, and Availability.

Description

This vulnerability is a Time-of-check Time-of-use (TOCTOU) race condition in the pg_dump process. An attacker could exploit this by replacing another relation type with a view or foreign table, allowing them to execute arbitrary SQL functions, as the user pg_dump is often a superuser.

The attack requires precise timing to coincide with the start of pg_dump, but the race condition is easily won if the attacker maintains an open transaction.

Potential sequence of attack:

  1. An attacker creates a non-temporary object in the database.
  2. Before the pg_dump process begins, the attacker replaces this object with another one that contains malicious SQL code.
  3. When pg_dump attempts to back up the database, it executes the injected SQL code.

It's important to note that the protection is only active if both pg_dump and the server are updated to the versions containing the fix.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

PostgreSQL: https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/
Vulert: https://vulert.com/vuln-db/CVE-2024-7348
Xatia.io: https://xata.io/blog/cve-2024-7348-postgres-upgrade