CVE-2023-5870 - PostgreSQL pg_cancel_backend Role Vulnerability Could Lead to Denial of Service Attacks on Background Workers
Introduction:
A critical vulnerability, identified as CVE-2023-5870, has been discovered in PostgreSQL, a powerful, open source object-relational database system. The vulnerability involves the pg_cancel_backend role, which is responsible for signaling background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher.
When exploited successfully, this flaw could allow a remote attacker with high privileges to launch a denial of service (DoS) attack on specific background workers. However, it is important to note that successful exploitation requires a non-core extension with a less-resilient background worker.
In this long-read post, we will provide an in-depth look at this vulnerability, including code snippets, links to original references, and details about the exploit.
Code Snippet
To better understand the impact of this issue, let's take a look at a simplified example of how the pg_cancel_backend function is used:
SELECT pg_cancel_backend(pg_stat_activity.pid)
FROM pg_stat_activity
WHERE pg_stat_activity.state = 'idle';
In this example, the pg_cancel_backend function is called with the process ID (pid) of all idle background workers. If a malicious actor were to craft a custom non-core extension designed to crash when interrupted, they could abuse this function to force background workers running this extension into an error state, consequently leading to a denial of service.
Original References
For more detailed information on this vulnerability, consult the official PostgreSQL security advisory and the CVE entry:
1. PostgreSQL Security Advisory: https://www.postgresql.org/about/news/postgresql-145-136-127-1121-9515-and-8419-released-2432/
2. CVE-2023-5870 Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5870
Ability to create custom SQL queries or an extension to abuse the pg_cancel_backend function
Once these prerequisites are fulfilled, the attacker could craft a malicious query or extension, which takes advantage of the less-resilient background worker and calls the pg_cancel_backend function with the worker's process ID. This action would cause the worker to enter an error state and lead to a denial of service.
To mitigate the risk posed by this vulnerability, it is recommended to take the following steps
1. Update to the latest version of PostgreSQL as soon as possible. The PostgreSQL Global Development Group has released patches for affected versions: 14.5, 13.6, 12.7, 11.12, 9.5.15, and 8.4.19. The updated versions can be found here: https://www.postgresql.org/download/
2. Restrict the use of pg_cancel_backend to trusted database administrators only. This can be done by limiting access to high privileged accounts and reviewing database logs for any unauthorized usage of the function.
3. Audit installed non-core extensions and make sure that they do not include any background workers that are vulnerable to this exploit. In case of doubt, consider reaching out to the extension developers for confirmation.
Conclusion
The CVE-2023-5870 vulnerability in PostgreSQL involving the pg_cancel_backend role can potentially allow a remote high privileged attacker to launch a denial of service attack on specific background workers. To safeguard your data and ensure service continuity, it's crucial to follow the mitigation measures outlined above and keep your PostgreSQL installation up-to-date.
Timeline
Published on: 12/10/2023 18:15:07 UTC
Last modified on: 12/13/2023 22:15:44 UTC