CVE-2018-1053 in PostgreSQL
Summary
by MITRE
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2023
The vulnerability identified as CVE-2018-1053 affects PostgreSQL database management systems across multiple version lines including 9.3.x through 9.3.20, 9.4.x through 9.4.15, 9.5.x through 9.5.10, 9.6.x through 9.6.6, and 10.x through 10.1. This security flaw resides in the pg_upgrade utility which is used to upgrade PostgreSQL clusters from older versions to newer ones. The issue stems from improper file permission handling during the upgrade process where temporary files containing sensitive information are created with the current umask settings rather than the secure 0077 permissions typically applied to other temporary files in the system. This deviation creates a potential security risk that aligns with CWE-732, which addresses incorrect permission assignment for critical resources, and represents a significant concern within the ATT&CK framework under privilege escalation and credential access techniques.
The technical implementation of this vulnerability occurs when pg_upgrade executes the command pg_dumpall -g to extract global objects from the database cluster, including user information and roles. During this process, the utility creates temporary files in the current working directory using whatever umask value was active when the user invoked the pg_upgrade command. This approach differs from how other temporary files are handled within PostgreSQL, which normally use restrictive 0077 permissions to prevent unauthorized access. When an attacker can manipulate the current working directory or has control over the umask value, they can potentially read or modify these temporary files containing database credentials, including both encrypted and unencrypted passwords. The vulnerability essentially creates a window of opportunity where sensitive authentication information might be exposed to unauthorized users who have access to the filesystem.
The operational impact of this vulnerability extends beyond simple information disclosure as it can enable attackers to gain unauthorized access to database systems through credential theft. An authenticated attacker with access to the system can exploit this weakness to extract database passwords and other sensitive information that might be used for lateral movement within the network or to gain deeper access to database resources. The attack vector requires that the attacker have the ability to influence the current working directory or umask settings, but given that many administrative operations occur in predictable locations, this attack scenario becomes increasingly feasible. The vulnerability affects the integrity and confidentiality of database systems, particularly when the database administrator performs upgrades from privileged accounts where the umask might be less restrictive than typical security practices would dictate.
Mitigation strategies for CVE-2018-1053 focus primarily on ensuring that pg_upgrade is executed from secure directories with appropriate umask settings and that the upgrade process is conducted with proper privilege separation. Database administrators should ensure that the current working directory for pg_upgrade operations is restricted to prevent unauthorized access and that the umask is set to 077 or more restrictive before initiating the upgrade process. Additionally, organizations should implement proper directory permissions and access controls to prevent attackers from manipulating the working directory or umask values. The most effective long-term solution involves upgrading to PostgreSQL versions that have patched this vulnerability, specifically PostgreSQL 9.3.21, 9.4.16, 9.5.11, 9.6.7, and 10.2 or later, where the utility properly enforces 0077 permissions for temporary files. Security monitoring should also be enhanced to detect unusual file creation patterns in directories where pg_upgrade operations occur, providing additional layers of defense against exploitation attempts.