Bug 1508985 (CVE-2017-15097)

Summary: CVE-2017-15097 postgresql: Start scripts permit database administrator to modify root-owned files
Product: [Other] Security Response Reporter: Pedro Yóssis Silva Barbosa <pebarbos>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, cpelland, dajohnso, databases-maint, dclarizi, devrim, gblomqui, ggainey, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jhardy, jmlich83, jorton, jprause, jstanek, meissner, mike, obarenbo, pkajaba, pkubat, praiskup, roliveri, security-response-team, simaishi, taw, tgl, thomas, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-08 03:05:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1500062, 1500063, 1507555, 1507556, 1507558, 1507559, 1507561, 1507562    
Bug Blocks: 1498401    

Description Pedro Yóssis Silva Barbosa 2017-11-02 15:40:02 UTC 
PostgreSQL runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. Red Hat provides scripts for starting the database server during system boot and for initializing the database. These implementations use file names that the database superuser can replace with symbolic links. As root, the scripts open(), chmod() and/or chown() the log and data files. These issues often suffice for the database superuser to escalate to root privileges when root starts the server or initializes the database.
Comment 8 Pedro Yóssis Silva Barbosa 2017-11-13 16:47:18 UTC 
Red Hat initialization and setup scripts for postgresql have race condition vulnerabilities that may enable the escalation of privileges from the postgres user account to root.

For Red Hat Enterprise Linux 6 and earlier, the start action in the postgresql.init script has the following piece of code:

    touch "$PGLOG" || exit 4                                                                        
    chown postgres:postgres "$PGLOG"                                                                
    chmod go-rwx "$PGLOG"                                                                           

An attacker accessing the postgres user account could change the targeted log file (PGLOG) to one with root permissions. Similar pieces of code can be found in many other parts of the script (e.g, in the initdb action, for the data folder creation).

The postgresql packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 are susceptible during the initdb and update actions (through the postgresql-setup script). Once administrators do not perform initdb and update actions very often, the impact of this flaw can be considered lower for Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7.

Mitigations could be the dropping of the root privileges right at the beginning of the scripts.
Comment 9 Pedro Yóssis Silva Barbosa 2017-11-13 17:02:08 UTC 
Statement:

Red Hat Enterprise Linux 6 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 12 Pedro Yóssis Silva Barbosa 2017-11-13 17:32:18 UTC 
Acknowledgments:

Name: Pedro Barbosa (Red Hat), the PostgreSQL project
Upstream: Antoine Scemama (Brainloop)
Comment 13 errata-xmlrpc 2017-12-08 02:41:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3402 https://access.redhat.com/errata/RHSA-2017:3402
Comment 14 errata-xmlrpc 2017-12-08 02:42:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3403 https://access.redhat.com/errata/RHSA-2017:3403
Comment 15 errata-xmlrpc 2017-12-08 02:59:28 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3404 https://access.redhat.com/errata/RHSA-2017:3404
Comment 16 errata-xmlrpc 2017-12-08 02:59:55 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3405 https://access.redhat.com/errata/RHSA-2017:3405