Arch Linux Security Advisory ASA-202011-14
=========================================
Severity: High
Date    : 2020-11-17
CVE-ID  : CVE-2020-25694 CVE-2020-25695 CVE-2020-25696
Package : postgresql
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1276

Summary
======
The package postgresql before version 12.5-1 is vulnerable to multiple
issues including sandbox escape, arbitrary code execution and silent
downgrade.

Resolution
=========
Upgrade to 12.5-1.

# pacman -Syu "postgresql>=12.5-1"

The problems have been fixed upstream in version 12.5.

Workaround
=========
None.

Description
==========
- CVE-2020-25694 (silent downgrade)

A security issue has been found in PostgreSQL before 12.5. Many
PostgreSQL-provided client applications have options that create
additional database connections. Some of those applications reuse only
the basic connection parameters (e.g. host, user, port), dropping
others. If this drops a security-relevant parameter (e.g.
channel_binding, sslmode, requirepeer, gssencmode), the attacker has an
opportunity to complete a MITM attack or observe cleartext
transmission.

Affected applications are clusterdb, pg_dump, pg_restore, psql,
reindexdb, and vacuumdb. The vulnerability arises only if one invokes
an affected client application with a connection string containing a
security-relevant parameter.

- CVE-2020-25695 (sandbox escape)

A security issue has been found in PostgreSQL before 12.5, where an
attacker having permission to create non-temporary objects in at least
one schema can execute arbitrary SQL functions under the identity of a
superuser.
While promptly updating PostgreSQL is the best remediation for most
users, a user unable to do that can work around the vulnerability by
disabling autovacuum and not manually running ANALYZE, CLUSTER,
REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a
restore from output of the pg_dump command. Performance may degrade
quickly under this workaround. VACUUM without the FULL option is safe,
and all commands are fine when a trusted user owns the target object.

- CVE-2020-25696 (arbitrary code execution)

A security issue has been found in PostgreSQL before 12.5, where psql's
\gset allows overwriting specially treated variables. The \gset meta-
command, which sets psql variables based on query results, does not
distinguish variables that control psql behavior. If an interactive
psql session uses \gset when querying a compromised server, the
attacker can execute arbitrary code as the operating system account
running psql. Using \gset with a prefix not found among specially
treated variables, e.g. any lowercase string, precludes the attack in
an unpatched psql.

Impact
=====
An attacker in position of man-in-the-middle might be able to access
sensitive information or even alter SQL commands. A remote,
authenticated attacker might be able to escape the PG sandbox and
execute arbitrary code on the server.

References
=========
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
https://security.archlinux.org/CVE-2020-25694
https://security.archlinux.org/CVE-2020-25695
https://security.archlinux.org/CVE-2020-25696

ArchLinux: 202011-14: postgresql: multiple issues

November 26, 2020

Summary

- CVE-2020-25694 (silent downgrade) A security issue has been found in PostgreSQL before 12.5. Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission.
Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter.
- CVE-2020-25695 (sandbox escape)
A security issue has been found in PostgreSQL before 12.5, where an attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object.
- CVE-2020-25696 (arbitrary code execution)
A security issue has been found in PostgreSQL before 12.5, where psql's \gset allows overwriting specially treated variables. The \gset meta- command, which sets psql variables based on query results, does not distinguish variables that control psql behavior. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. Using \gset with a prefix not found among specially treated variables, e.g. any lowercase string, precludes the attack in an unpatched psql.

Resolution

Upgrade to 12.5-1. # pacman -Syu "postgresql>=12.5-1"
The problems have been fixed upstream in version 12.5.

References

https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ https://security.archlinux.org/CVE-2020-25694 https://security.archlinux.org/CVE-2020-25695 https://security.archlinux.org/CVE-2020-25696

Severity
Package : postgresql
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1276

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved