Leaky PostgreSQL passwords plugged

DBAs: strap on your patching boots. Every DB in your clusters needs work

By Richard Chirgwin

Posted in Security, 13th August 2017 23:58 GMT

PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.

In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug.

The authorisation oopsie derives from the database's handling of pg_user_mappings, allowing an authenticated remote attacker retrieve passwords from user mappings defined by the server owner – all the way up to passwords set by the server admin.

Settle in with lots of coffee, sysadmins: after fetching the patch, there's a set of fix commands that have to be run on every database in a cluster.

In CVE-2017-7546, the server accepts empty passwords, as explained by Adam Mariš here:

“Several authentication methods, including the widely-used 'md5' method, permit empty passwords. On the client side, libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”

In CVE-2017-7548, there's a fix to the database's lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.

The PostgreSQL note about the bug outlines 50 other fixes for bugs reported in the last three months, and reminds users that Version 9.2 will move to the end-of-life list in September. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

Critical update for security engine rushed out the door

They forked this one up: Microsoft modifies open-source code, blows hole in Windows Defender

Rar! That's a scary bug

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Microsoft says: Lock down your software supply chain before the malware scum get in

Stealthy attack code spotted going after payment systems

MailChimp 'working' to stop hackers flinging malware-laced spam from accounts

What can you do about it for now? Sweet 2FA

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Researchers create AI attacker to defeat AI malware defender

It's like Spy Vs Spy, but with neural network boffins