ASA-202011-14: postgresql: multiple issues
Arch Linux Security Advisory ASA-202011-14
=========================================
Severity: High
Date : 2020-11-17
CVE-ID : CVE-2020-25694 CVE-2020-25695 CVE-2020-25696
Package : postgresql
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1276
Summary
======
The package postgresql before version 12.5-1 is vulnerable to multiple
issues including sandbox escape, arbitrary code execution and silent
downgrade.
Resolution
=========
Upgrade to 12.5-1.
# pacman -Syu "postgresql>.5-1"
The problems have been fixed upstream in version 12.5.
Workaround
=========
None.
Description
==========
- CVE-2020-25694 (silent downgrade)
A security issue has been found in PostgreSQL before 12.5. Many
PostgreSQL-provided client applications have options that create
additional database connections. Some of those applications reuse only
the basic connection parameters (e.g. host, user, port), dropping
others. If this drops a security-relevant parameter (e.g.
channel_binding, sslmode, requirepeer, gssencmode), the attacker has an
opportunity to complete a MITM attack or observe cleartext
transmission.
Affected applications are clusterdb, pg_dump, pg_restore, psql,
reindexdb, and vacuumdb. The vulnerability arises only if one invokes
an affected client application with a connection string containing a
security-relevant parameter.
- CVE-2020-25695 (sandbox escape)
A security issue has been found in PostgreSQL before 12.5, where an
attacker having permission to create non-temporary objects in at least
one schema can execute arbitrary SQL functions under the identity of a
superuser.
While promptly updating PostgreSQL is the best remediation for most
users, a user unable to do that can work around the vulnerability by
disabling autovacuum and not manually running ANALYZE, CLUSTER,
REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a
restore from output of the pg_dump command. Performance may degrade
quickly under this workaround. VACUUM without the FULL option is safe,
and all commands are fine when a trusted user owns the target object.
- CVE-2020-25696 (arbitrary code execution)
A security issue has been found in PostgreSQL before 12.5, where psql's
\gset allows overwriting specially treated variables. The \gset meta-
command, which sets psql variables based on query results, does not
distinguish variables that control psql behavior. If an interactive
psql session uses \gset when querying a compromised server, the
attacker can execute arbitrary code as the operating system account
running psql. Using \gset with a prefix not found among specially
treated variables, e.g. any lowercase string, precludes the attack in
an unpatched psql.
Impact
=====
An attacker in position of man-in-the-middle might be able to access
sensitive information or even alter SQL commands. A remote,
authenticated attacker might be able to escape the PG sandbox and
execute arbitrary code on the server.
References
=========
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
https://security.archlinux.org/CVE-2020-25694
https://security.archlinux.org/CVE-2020-25695
https://security.archlinux.org/CVE-2020-25696
A postgresql security update has been released for Arch Linux.
