Cybersecurity experts have identified a critical vulnerability in the PostgreSQL open-source database system, potentially allowing unprivileged users to manipulate environment variables. This security flaw, categorized as CVE-2024-10979, carries a CVSS severity score of 8.8, indicating significant risks associated with its exploitation.
Environment variables serve as user-defined settings that enable programs to dynamically access crucial information, such as access keys and installation paths, during runtime without embedding them directly in the code. These variables are typically initialized at system startup in various operating environments.
According to PostgreSQL’s advisory released on Thursday, “Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g., PATH).” This capability could facilitate arbitrary code execution, even without the attacker’s status as a user with database server operating system privileges.
The vulnerability has been addressed in releases of PostgreSQL, specifically versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Researchers from Varonis, Tal Peleg and Coby Abrams, who uncovered this issue, have highlighted that exploitation scenarios could lead to serious security breaches depending on the attack vector utilized. Such scenarios may include executing arbitrary code through modified environment variables or extracting sensitive information by executing malicious queries.
Currently, detailed technical specifics regarding this vulnerability are being kept under wraps to provide users with adequate time to implement necessary security patches. In line with this, users are strongly encouraged to tighten their security configurations. Varonis recommends limiting permissions associated with CREATE EXTENSIONS to specified extensions and modifying the shared_preload_libraries configuration to restrict loading only essential extensions. Additionally, they advise limiting roles to prevent function creation, adhering to the principle of least privilege by controlling CREATE FUNCTION permissions.
This incident raises significant concerns regarding potential adversary tactics as outlined in the MITRE ATT&CK framework. Initial access to the database may have been achieved through improper configuration of environment variables, facilitating both persistence and privilege escalation. Attackers could exploit this vulnerability to execute code while positioning themselves within a compromised environment, effectively escalating their access and control over sensitive data.
In conclusion, businesses relying on PostgreSQL should prioritize applying the latest updates and review their environment variable handling practices to mitigate the risks posed by this vulnerability. Fortifying security measures is imperative in preventing unauthorized access and safeguarding critical data against potential exploitation.
