Re: Re: BUG #15731: CVE-2019-9193

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: "Rajwade, Abhijit" <Abhijit_Rajwade(at)bmc(dot)com>
Cc: "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org>, "Phadtare, Yogesh" <yogesh_phadtare(at)bmc(dot)com>, "Sanklecha, Akshay" <akshay_sanklecha_tp(at)bmc(dot)com>, "Nambiar, Girish" <Girish_Nambiar(at)bmc(dot)com>
Subject: Re: Re: BUG #15731: CVE-2019-9193
Date: 2019-04-03 08:10:21
Message-ID: CABUevEyJQ1CV3_k-C4zeoe93dEUD2SC9MCabV91QbjjHQ6KuUA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

It's absolutely trivial. Don't run as superuser, done.

Again, there is no vulnerability to prevent from. If you explicitly allow
superusers to log in remotely, they can do superuser things. Just like if
you allow "root" to ssh in remotely, people can use that to ssh in as
"root" and do root level things like delete your files.

(The report is of course also simply factually incorrect, because the
pg_read_server_files role has exactly nothing to do with it. Which is also
clearly documented. And you can even tell from the name that it's about
reading files)

You can read some more at
https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/
-- which also quotes some relevant parts of the documentation.

//Magnus

On Wed, Apr 3, 2019 at 9:47 AM Rajwade, Abhijit <Abhijit_Rajwade(at)bmc(dot)com>
wrote:

> Magnus,
>
>
>
> If this is mis-configured, can you please advise what configuration is
> needed to prevent this vulnerability?
>
>
>
> Thx & Regards
>
> --- Abhijit Rajwade
>
>
>
> *From:* Magnus Hagander [mailto:magnus(at)hagander(dot)net]
> *Sent:* Wednesday, April 03, 2019 1:13 PM
> *To:* Rajwade, Abhijit; pgsql-bugs(at)lists(dot)postgresql(dot)org
> *Subject:* [EXTERNAL] Re: BUG #15731: CVE-2019-9193
>
>
>
> This is not a security vulnerability in the product. It is behaving
> exactly as intended. It may be misconfigured in some deployments, but it's
> not a product vulnerability.
>
>
>
> /Magnus
>
>
>
> On Wed, Apr 3, 2019, 09:39 PG Bug reporting form <noreply(at)postgresql(dot)org>
> wrote:
>
> The following bug has been logged on the website:
>
> Bug reference: 15731
> Logged by: Abhijit Rajwade
> Email address: abhijit_rajwade(at)bmc(dot)com
> PostgreSQL version: 11.2
> Operating system: Linux
> Description:
>
> Sonatype Nexus Audior is reporting the following Threat level 9
> vulnerability on Postgres
>
> Vulnerability
>
> Issue CVE-2019-9193
> Severity Sonatype CVSS 3.0: 9.8
> Weakness Sonatype CWE: 94
> Source National Vulnerability Database
> Categories Data
>
> Description
>
> Description from CVE
> In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
> superusers and users in the 'pg_read_server_files' group to execute
> arbitrary code in the context of the database's operating system user. This
> functionality is enabled by default and can be abused to run arbitrary
> operating system commands on Windows, Linux, and macOS.
>
> Root Cause
> postgresql-42.2.5.jar : [9.3, )
>
> Advisories
> Third Party:
>
> https://github.com/iiiusky/vulhub/commit/88c8816c6f8825030ade34c63c745757ca818fc0#diff-ceb08c22f5e392636bdb77b8562ce0fd
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_iiiusky_vulhub_commit_88c8816c6f8825030ade34c63c745757ca818fc0-23diff-2Dceb08c22f5e392636bdb77b8562ce0fd&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=YMNsyLtebRXkkt4cIc2_Idg8UyWFpc17iA1cVv3aUnI&m=-K0JRJBlGTuuKNPFOT56nImUts-Gtf5eAAAmt_625ZU&s=eKdExp9Xa8aDln6x3tTQmtHpEGGUoeefwsnyzN040WI&e=>
> Third Party:
>
> https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__medium.com_greenwolf-2Dsecurity_authenticated-2Darbitrary-2Dcommand-2Dexecution-2Don-2Dpostgresql-2D9-2D3-2Dlatest-2Dcd18945914d5&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=YMNsyLtebRXkkt4cIc2_Idg8UyWFpc17iA1cVv3aUnI&m=-K0JRJBlGTuuKNPFOT56nImUts-Gtf5eAAAmt_625ZU&s=GMbg2EHc2F83s7WadMFL_hnM6QrkOZSQwf78E7Cs7Cc&e=>
>
> CVSS Details
> Sonatype CVSS 3.0: 9.8
> CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
>
> Can you please have the above Security vulnerability fixed?
>
> --- Abhijit Rajwade
>
>

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message r.zharkov 2019-04-03 08:29:21 Re: BUG #15727: PANIC: cannot abort transaction 295144144, it was already committed
Previous Message Rajwade, Abhijit 2019-04-03 07:46:57 RE: Re: BUG #15731: CVE-2019-9193