In this post, we will discuss a recently discovered vulnerability (CVE-2024-12746) related to a SQL injection issue in the Amazon Redshift ODBC Driver v2.1.5. (applicable to both Windows and Linux). The vulnerability has the potential to be exploited by an attacker leading to escalated privileges. It is associated with the SQLTables and SQLColumns Metadata APIs. We will examine the details of this vulnerability, the scope of its impact, and what users can do to mitigate the risk level. Before we proceed further, let's first take a brief look into the Amazon Redshift ODBC Driver.

Amazon Redshift ODBC Driver

Amazon Redshift is a fully managed, petabyte-scale data warehouse service provided by Amazon Web Services (AWS). The Open Database Connectivity (ODBC) driver for Amazon Redshift allows users to establish connections between the Redshift database and an extensive range of user applications, tools, and programming languages, thereby allowing seamless data management and analysis workflows.

Vulnerability Details (CVE-2024-12746)

The vulnerability we are concerned with is a SQL injection issue prevalent in the Amazon Redshift ODBC Driver v2.1.5.. This driver version is affected by an SQL injection vulnerability that can be exploited using the SQLTables or SQLColumns Metadata APIs. By exploiting this vulnerability, an attacker can potentially gain escalated privileges in the context of the impacted user, subsequently causing severe security consequences.

In the affected driver version, the lack of proper input sanitization of the SQLTables and SQLColumns APIs allows a user to inject malicious SQL code. This injected code can then potentially tamper with the database structure or access sensitive information.

To illustrate the vulnerability, let's consider the following hypothetical example

-- This is a legitimate SQL query that a user might execute:
SELECT * FROM users WHERE username = 'john'

-- An attacker can exploit the vulnerability by injecting malicious SQL code like this:
SELECT * FROM users WHERE username = 'john'; DROP TABLE users; --'

In the above example, the attacker successfully injects a malicious SQL query to delete the 'users' table after the legitimate query. The vulnerable driver fails to sanitize the input, leading to the execution of the injected code.

Mitigation Measures

The recommended course of action for affected users is to immediately upgrade to the Amazon Redshift ODBC Driver version 2.1.6., which contains the necessary fixes for this vulnerability. If upgrading to version 2.1.6. is not possible, users can alternatively revert to the driver version 2.1.4., which is also not affected by this issue.

- Amazon Redshift ODBC Driver
- CVE-2024-12746 - NVD
- Amazon Redshift ODBC Driver Version History

Conclusion

The vulnerability in Amazon Redshift ODBC Driver v2.1.5., designated as CVE-2024-12746, is a result of a SQL injection issue linked to the SQLTables and SQLColumns Metadata APIs. It poses a risk of escalated privileges that attackers can exploit for their malicious intent. Ensuring that you promptly upgrade your driver version to 2.1.6. or revert to version 2.1.4. is essential for mitigating this threat and keeping your database infrastructure secure.

Timeline

Published on: 12/24/2024 17:15:08 UTC
Last modified on: 12/26/2024 15:15:06 UTC