CVE-2021-41558 in set_user Extension Moduleinfo

Summary

by MITRE • 09/28/2021

The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 10/02/2021

The vulnerability identified as CVE-2021-41558 affects the set_user extension module for PostgreSQL databases, specifically versions prior to 3.0.0. This issue represents a critical security flaw that undermines the integrity of database access controls and privilege management within PostgreSQL environments. The set_user extension is designed to enable database users to switch between different roles and execute commands with elevated privileges, but the vulnerability creates an exploitable pathway that bypasses critical security mechanisms.

The technical flaw resides in the ProcessUtility_hook functionality within the set_user extension, which is a PostgreSQL mechanism that allows extensions to intercept and modify utility commands before they are executed. When a user invokes set_config functionality, the extension fails to properly validate or enforce access controls that should normally prevent unauthorized privilege escalation. This bypass occurs because the extension does not adequately check whether the calling user has sufficient privileges to perform the configuration changes that could potentially alter the database's operational behavior or security settings.

The operational impact of this vulnerability is severe as it allows malicious actors to potentially escalate their privileges within the PostgreSQL environment without proper authorization. Attackers could exploit this weakness to execute commands with elevated permissions, potentially gaining access to sensitive data, modifying database configurations, or creating backdoor access points. The vulnerability essentially provides a method for bypassing the normal PostgreSQL privilege checking mechanisms that are fundamental to database security architecture. This type of flaw directly violates the principle of least privilege and can lead to complete database compromise when exploited by unauthorized users.

Security practitioners should immediately upgrade to version 3.0.0 or later of the set_user extension module to remediate this vulnerability. Organizations using older versions should implement network-level restrictions and monitor database logs for suspicious activity related to set_config operations. The vulnerability aligns with CWE-284 Access Control Issues, specifically concerning improper access control mechanisms that allow unauthorized privilege escalation. From an attack framework perspective, this vulnerability maps to ATT&CK technique T1078 Valid Accounts, as it enables attackers to leverage existing database accounts to gain elevated privileges. Additionally, the bypass of ProcessUtility_hook represents a violation of the database's security model and could be classified under ATT&CK technique T1566 Phishing, if the initial access was obtained through social engineering to gain a foothold before exploiting this privilege escalation vector.

Reservation

09/22/2021

Disclosure

09/28/2021

Moderation

accepted

CPE

ready

EPSS

0.01229

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!