CVE-2021-38140 in set_user Extension Module
Summary
by MITRE • 08/11/2021
The set_user extension module before 2.0.1 for PostgreSQL allows a potential privilege escalation using RESET SESSION AUTHORIZATION after set_user().
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/15/2021
The vulnerability identified as CVE-2021-38140 affects the set_user extension module for PostgreSQL databases, specifically versions prior to 2.0.1. This issue represents a critical security flaw that enables unauthorized privilege escalation through improper handling of session authorization reset operations. The set_user extension is designed to allow database users to temporarily switch their session context to that of another user, typically for administrative purposes or to perform actions with elevated privileges. However, the flaw in the module's implementation creates a pathway for malicious actors to maintain or escalate their privileges beyond what should be permitted.
The technical flaw resides in how the extension handles the RESET SESSION AUTHORIZATION command when used in conjunction with the set_user() function. When a user invokes set_user() to switch to another user context, the extension should properly manage the session state and ensure that subsequent operations maintain appropriate authorization boundaries. However, the vulnerability allows an attacker to bypass these security controls by executing RESET SESSION AUTHORIZATION after using set_user(), effectively restoring the original user's privileges while maintaining access to the elevated session context. This creates a scenario where a user can perform privileged operations without proper authentication or authorization, undermining the fundamental security model of PostgreSQL's role-based access control.
The operational impact of this vulnerability extends beyond simple privilege escalation, potentially enabling comprehensive database compromise. An attacker who can exploit this flaw can execute arbitrary database operations with elevated privileges, access sensitive data, modify database structures, and potentially escalate their access to system-level operations. The vulnerability is particularly dangerous in environments where database users have varying privilege levels and where the set_user extension is used for legitimate administrative tasks. It essentially creates a backdoor mechanism that allows unauthorized users to maintain elevated privileges even after they should have been reverted to their original security context, making it difficult to detect and trace malicious activities within the database audit logs.
Mitigation strategies for CVE-2021-38140 primarily involve upgrading to the patched version 2.0.1 of the set_user extension module, which properly addresses the session authorization handling flaw. Organizations should also implement comprehensive monitoring of set_user extension usage and RESET SESSION AUTHORIZATION commands to detect anomalous patterns that might indicate exploitation attempts. Security administrators should review and restrict access to the set_user extension, ensuring that only trusted users with legitimate administrative needs can utilize its functionality. Additionally, implementing proper database auditing and logging mechanisms can help detect unauthorized privilege escalation attempts. This vulnerability aligns with CWE-284, which addresses improper access control, and maps to ATT&CK techniques involving privilege escalation and defense evasion through legitimate credentials. Organizations should also consider implementing network segmentation and database access controls to limit exposure and reduce the potential impact of any successful exploitation attempts.