Bug 1508985 (CVE-2017-15097) - CVE-2017-15097 postgresql: Start scripts permit database administrator to modify root-owned files
Summary: CVE-2017-15097 postgresql: Start scripts permit database administrator to mod...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15097
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171207,repor...
Depends On: 1500062 1500063 1507555 1507556 1507558 1507559 1507561 1507562
Blocks: 1498401
TreeView+ depends on / blocked
 
Reported: 2017-11-02 15:40 UTC by Pedro Yóssis Silva Barbosa
Modified: 2019-06-08 22:27 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
Clone Of:
Environment:
Last Closed: 2017-12-08 03:05:51 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3402 normal SHIPPED_LIVE Moderate: postgresql security update 2017-12-08 07:40:39 UTC
Red Hat Product Errata RHSA-2017:3403 normal SHIPPED_LIVE Moderate: rh-postgresql94-postgresql security update 2017-12-08 07:41:17 UTC
Red Hat Product Errata RHSA-2017:3404 normal SHIPPED_LIVE Moderate: rh-postgresql95-postgresql security update 2017-12-08 07:58:03 UTC
Red Hat Product Errata RHSA-2017:3405 normal SHIPPED_LIVE Moderate: rh-postgresql96-postgresql security update 2017-12-08 07:58:26 UTC

Description Pedro Yóssis Silva Barbosa 2017-11-02 15:40:02 UTC
PostgreSQL runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. Red Hat provides scripts for starting the database server during system boot and for initializing the database. These implementations use file names that the database superuser can replace with symbolic links. As root, the scripts open(), chmod() and/or chown() the log and data files. These issues often suffice for the database superuser to escalate to root privileges when root starts the server or initializes the database.

Comment 8 Pedro Yóssis Silva Barbosa 2017-11-13 16:47:18 UTC
Red Hat initialization and setup scripts for postgresql have race condition vulnerabilities that may enable the escalation of privileges from the postgres user account to root.

For Red Hat Enterprise Linux 6 and earlier, the start action in the postgresql.init script has the following piece of code:

    touch "$PGLOG" || exit 4                                                                        
    chown postgres:postgres "$PGLOG"                                                                
    chmod go-rwx "$PGLOG"                                                                           

An attacker accessing the postgres user account could change the targeted log file (PGLOG) to one with root permissions. Similar pieces of code can be found in many other parts of the script (e.g, in the initdb action, for the data folder creation).

The postgresql packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 are susceptible during the initdb and update actions (through the postgresql-setup script). Once administrators do not perform initdb and update actions very often, the impact of this flaw can be considered lower for Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7.

Mitigations could be the dropping of the root privileges right at the beginning of the scripts.

Comment 9 Pedro Yóssis Silva Barbosa 2017-11-13 17:02:08 UTC
Statement:

Red Hat Enterprise Linux 6 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 12 Pedro Yóssis Silva Barbosa 2017-11-13 17:32:18 UTC
Acknowledgments:

Name: Pedro Barbosa (Red Hat), the PostgreSQL project
Upstream: Antoine Scemama (Brainloop)

Comment 13 errata-xmlrpc 2017-12-08 02:41:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3402 https://access.redhat.com/errata/RHSA-2017:3402

Comment 14 errata-xmlrpc 2017-12-08 02:42:13 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3403 https://access.redhat.com/errata/RHSA-2017:3403

Comment 15 errata-xmlrpc 2017-12-08 02:59:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3404 https://access.redhat.com/errata/RHSA-2017:3404

Comment 16 errata-xmlrpc 2017-12-08 02:59:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3405 https://access.redhat.com/errata/RHSA-2017:3405


Note You need to log in before you can comment on or make changes to this bug.