CVE-2024-4317 - Unauthorized Access to PostgreSQL Built-in Views: A Closer Look at Exploit and Its Potential Impact

There has been a recent discovery of a new security vulnerability in PostgreSQL affecting specific major versions, specifically versions 14-16. The vulnerability, designated as CVE-2024-4317, is described as missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. Essentially, this means that an unprivileged database user can gain the ability to read some valuable statistics information, such as most common values, which would not otherwise be available to them.

In this post, we'll examine the exploit details, share a code snippet, and review the steps required to mitigate the issue. We'll also provide links to the original references and official PostgreSQL documentation.

Vulnerability Details

The core issue with CVE-2024-4317 stems from the PostgreSQL built-in views, pg_stats_ext, and pg_stats_ext_exprs. These views are designed to gather and display statistics generated from the CREATE STATISTICS command. Typically, these views should only be accessible to privileged users, like database administrators.

Unfortunately, due to missing authorization, an unprivileged user with read access to the public schema can read the most common values stored in these views. This may reveal sensitive data, such as:

Here's a code snippet that exemplifies the issue

-- Given that User A is a privileged user and User B an unprivileged user.
-- User A creates a table and populate it with sensitive data:

CREATE TABLE user_a.secret_data (id serial, private_value text);
INSERT INTO user_a.secret_data (private_value) VALUES ('Sensitive Info 1'), ('Sensitive Info 2'), ('Sensitive Info 3');

-- User A creates statistics:

CREATE STATISTICS secret_stats ON private_value FROM user_a.secret_data;

-- User B queries the pg_stats_ext table and gets the most common values:

SELECT most_common_vals::text[] FROM pg_stats_ext WHERE tablename='secret_data' and attname='private_value';  
-- This query returns an array: ['Sensitive Info 1', 'Sensitive Info 2', 'Sensitive Info 3']

Affected Versions

CVE-2024-4317 affects PostgreSQL installations within major versions 14-16, and minor versions before PostgreSQL 16.3, 15.7, and 14.12. It is noteworthy that versions before PostgreSQL 14 are unaffected.

Mitigation

To mitigate this vulnerability, PostgreSQL has provided patch releases to fix the issue. Installing the corrected version only addresses the vulnerability for new PostgreSQL installations – those created with the initdb utility after the patch is installed.

Users with existing installations will still be vulnerable until they follow the instructions provided in the PostgreSQL release notes:

Execute the "REVOKE" command to remove the access from unprivileged users

REVOKE SELECT ON pg_catalog.pg_stats_ext FROM public;
REVOKE SELECT ON pg_catalog.pg_stats_ext_exprs FROM public;

It is essential to perform both steps to fully protect your PostgreSQL installation.

For more information about CVE-2024-4317, consult the following references

- PostgreSQL Mailing List Announcement
- PostgreSQL Release Notes
- PostgreSQL CVE Details

In conclusion, CVE-2024-4317 exposes a potentially serious unauthorized access issue in PostgreSQL, allowing unprivileged users to access certain sensitive data. The vulnerability can be mitigated by following the recommendations outlined above, installing the correct patches, and executing the relevant SQL commands to revoke unauthorized access.

Timeline

Published on: 05/14/2024 15:43:16 UTC
Last modified on: 05/14/2024 16:11:39 UTC