New PostgreSQL Vulnerability Allows Attackers to Change Environment Variables
Recently, a critical security vulnerability was discovered in the PostgreSQL open-source database system. Tracked as CVE-2024-10979, this high-severity vulnerability poses significant risks, earning a CVSS score of 8.8. It could allow unprivileged database users to modify environment variables, potentially leading to arbitrary code execution or sensitive information disclosure.
Understanding the PostgreSQL Vulnerability (CVE-2024-10979)
Environment variables are integral to software operation, providing dynamic runtime information such as access keys, configuration settings, and paths to essential resources. However, their flexibility can also introduce risks when mishandled.
According to a PostgreSQL advisory, CVE-2024-10979 stems from improper control of environment variables in the control of environment variables in the PL/Perl procedural language. This flaw allows attackers to change sensitive environment variables like PATH, opening the door to severe security risks.
Even without privileged database server access, an attacker could exploit this flaw to:
- Execute arbitrary code by altering runtime paths.
- Extract confidential system information via malicious queries.
Affected Versions and Fixes
The vulnerability impacts earlier versions of PostgreSQL but has been addressed in the following patched releases:
- PostgreSQL 17.1
- PostgreSQL 16.5
- PostgreSQL 15.9
- PostgreSQL 14.14
- PostgreSQL 13.17
- PostgreSQL 12.21
This flaw was discovered by cybersecurity researchers Tal Peleg and Coby Abrams from Varonis. They noted that the vulnerability could result in “severe security issues” depending on the context of the attack. It is strongly recommended that users update to the above patched versions immediately to mitigate risks.
Recommendations for Mitigation
To secure your PostgreSQL environment, follow these best practices:
Apply Patches Promptly
Ensure that your database system is updated to the latest patched version. Delayed updates increase the window of vulnerability, putting critical systems and data at risk.
Restrict Extensions
Limit the permissions to create extensions by granting access only to specific, trusted extensions. Additionally, configure the shared_preload_libraries
parameter to load only essential extensions.
Follow the Principle of Least Privilege
Restrict roles from creating functions by limiting CREATE FUNCTION
permissions to essential users only. This minimizes the attack surface.
Addressing CVE-2024-10979 on End-of-Life Linux Systems
The PostgreSQL vulnerability CVE-2024-10979 not only affects supported systems but also extends its reach to end-of-life Linux operating systems such as CentOS 7, Ubuntu 16.04, and Ubuntu 18.04. Since these systems no longer receive official security updates from their respective vendors, they face a significantly higher risk of exploitation.
This is where TuxCare’s Endless Lifecycle Support (ELS) becomes invaluable. TuxCare provides ongoing vulnerability patches for end-of-life Linux systems, ensuring they remain secure and compliant beyond the vendor-supported lifecycle. The ELS service covers over 140 critical packages, including the Linux kernel, glibc, OpenSSL, PostgreSQL, Python, OpenJDK, and more.
The TuxCare team is already working on patches for CVE-2024-10979 for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04. You can track the patch availability using this CVE tracker.
Conclusion
PostgreSQL is a widely-used, robust database system for applications ranging from small startups to large enterprises. A vulnerability of this magnitude could lead to devastating outcomes, especially if left unpatched in production environments.
For organizations running mission-critical applications on end-of-life systems, TuxCare offers a seamless solution to maintain security, compliance, and operational continuity without the need for costly and disruptive migrations.
Protecting outdated systems against PostgreSQL vulnerabilities like CVE-2024-10979 is no longer a daunting task. With TuxCare’s Endless Lifecycle Support, organizations can keep their infrastructure secure and resilient against emerging threats.
The sources for this article include a story from TheHackerNews.