CVE-2018-11792 in Impala
Summary
by MITRE
In Apache Impala before 3.0.1, ALTER TABLE/VIEW RENAME required ALTER on the old table. This may pose a potential security risk, such as having ALTER on a table and ALL on a particular database allows a user to move the table to a database with ALL, which will automatically grant that user with ALL privilege on that table due to the privilege inherited from the database.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/06/2020
The vulnerability described in CVE-2018-11792 affects Apache Impala versions prior to 3.0.1 and relates to improper privilege validation during table and view renaming operations. This security flaw stems from the system's insufficient access control checks when executing ALTER TABLE/VIEW RENAME commands. The core issue manifests when a user possesses ALTER privileges on an existing table but lacks the necessary permissions to move that table to a different database context. However, the vulnerability allows users with limited privileges to effectively escalate their access rights through strategic table relocation operations.
The technical implementation of this vulnerability involves the privilege checking mechanism that governs table renaming operations within the Impala query engine. When a user executes an ALTER TABLE/VIEW RENAME command, the system should validate that the user possesses appropriate permissions not only on the source table but also on the target database where the table will be moved. The flaw occurs because the system fails to properly enforce these checks, creating a scenario where privilege inheritance can be exploited. This design weakness is classified under CWE-284, which addresses improper access control, specifically the lack of proper authorization checks for resource operations.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating potential security risks in multi-user environments where database access controls are critical. An attacker with ALTER permissions on a table but only database-level ALL privileges on a target database could leverage this vulnerability to effectively gain full control over the renamed table. This occurs because when a table is moved to a database where the user has ALL privileges, the table inherits those permissions automatically, effectively granting the user complete control over the table without requiring explicit table-level privileges. The vulnerability essentially allows for privilege bypass through indirect means, making it particularly concerning for organizations relying on granular access controls.
This vulnerability aligns with ATT&CK technique T1078.004, which covers valid accounts with elevated privileges, as it enables users to effectively gain unauthorized elevated access through legitimate system operations. The flaw particularly impacts environments where administrators implement least privilege principles, as it undermines the intended security boundaries between different database objects. Organizations using Impala for data analytics and warehouse operations face significant risk, especially in regulated environments where access control auditing is mandatory. The vulnerability demonstrates a classic case of privilege creep where legitimate system functionality creates unintended access pathways.
The recommended mitigation strategy involves upgrading to Apache Impala version 3.0.1 or later, which implements proper privilege validation for table renaming operations. Additionally, administrators should conduct thorough privilege audits to identify and remediate any existing users who might have exploited this vulnerability. Organizations should also implement monitoring solutions to detect unusual table movement patterns that could indicate exploitation attempts. The fix addresses the underlying CWE-284 issue by ensuring that proper authorization checks are enforced during all table and view renaming operations, preventing users from leveraging privilege inheritance mechanisms to gain unauthorized access to database resources.