PostgreSQL libpq Internal State Connections Privilege Escalation Vulnerability [CVE-2018-10915]
CVE Number – CVE-2018-10915
A vulnerability in libpq, the client connection API used with PostgreSQL, could allow an authenticated, remote attacker to access escalated privileges on a targeted system.
The vulnerability exists because the affected software fails to reset all connection state variables when attempting to reconnect. An attacker could exploit this vulnerability by using host and hostaddrconnection parameters with the affected system. A successful exploit could allow the attacker to bypass connection security features and access escalated privileges, which could be used to conduct further attacks.
PostgreSQL confirmed the vulnerability and released software updates.
-
To exploit this vulnerability, the attacker must gain access to a targeted system running the affected database, making exploitation more difficult in environments that restrict network access from untrusted sources.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to allow only privileged users to access administration or management systems.
Administrators are advised to monitor affected systems.
-
PostgreSQL released a security advisory at the following link: 2018-08-09 security update release
-
PostgreSQL released software updates at the following link: PostgreSQL downloads
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.