CVE-2023-25149 in TimescaleDBinfo

Summary

by MITRE • 02/14/2023

TimescaleDB, an open-source time-series SQL database, has a privilege escalation vulnerability in versions 2.8.0 through 2.9.2. During installation, TimescaleDB creates a telemetry job that is runs as the installation user. The queries run as part of the telemetry data collection were not run with a locked down `search_path`, allowing malicious users to create functions that would be executed by the telemetry job, leading to privilege escalation. In order to be able to take advantage of this vulnerability, a user would need to be able to create objects in a database and then get a superuser to install TimescaleDB into their database. When TimescaleDB is installed as trusted extension, non-superusers can install the extension without help from a superuser. Version 2.9.3 fixes this issue. As a mitigation, the `search_path` of the user running the telemetry job can be locked down to not include schemas writable by other users. The vulnerability is not exploitable on instances in Timescale Cloud and Managed Service for TimescaleDB due to additional security provisions in place on those platforms.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/15/2023

The vulnerability CVE-2023-25149 represents a critical privilege escalation flaw in TimescaleDB versions 2.8.0 through 2.9.2 that stems from improper privilege management during the database installation process. This issue specifically affects the telemetry job mechanism that TimescaleDB establishes during installation, creating a security gap that malicious actors can exploit to gain elevated privileges. The vulnerability operates through a fundamental flaw in how database permissions are handled, particularly in the context of schema search path management. When TimescaleDB is installed, it creates a telemetry job that executes queries as the user who initiated the installation, but these queries lack proper search_path restrictions that would normally prevent unauthorized function execution.

The technical implementation of this vulnerability relies on the principle of least privilege being violated through improper database schema isolation. During installation, the telemetry job runs with elevated privileges but without proper search_path locking that would prevent execution of malicious functions created in writable schemas. This creates an environment where a malicious user with database creation privileges can craft specially designed functions that will be executed by the telemetry job with the privileges of the installation user. The flaw specifically manifests when the installation user has the ability to create objects in the database, which then allows them to create malicious functions in schemas that are included in the job's search_path. This vulnerability is categorized under CWE-269: Improper Privilege Management, which addresses issues where security-relevant functions are not properly protected against unauthorized access or execution.

The operational impact of this vulnerability extends beyond simple privilege escalation to potentially enable full database compromise when combined with other attack vectors. An attacker who can create database objects and then convince a superuser to install TimescaleDB into their database gains the ability to execute arbitrary code with elevated privileges. The vulnerability's exploitability requires a specific attack scenario involving both user creation capabilities and administrative installation privileges, but once achieved, it provides a persistent backdoor mechanism. The attack surface is particularly concerning in environments where non-superusers have the ability to install trusted extensions, as this bypasses traditional privilege boundaries and creates a path for privilege escalation without requiring direct superuser access.

Security mitigations for CVE-2023-25149 focus on implementing proper search_path restrictions that prevent execution of unauthorized functions during telemetry operations. Organizations should lock down the search_path of the telemetry job user to exclude schemas that are writable by other users, effectively preventing function hijacking attacks. This remediation approach aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, which targets vulnerabilities that allow attackers to escalate their privileges within a system. The vulnerability is particularly relevant in environments where database administrators must trust non-superusers with extension installation privileges, as this creates the exact conditions that enable the attack. Version 2.9.3 of TimescaleDB addresses this issue through proper search_path implementation that prevents the execution of malicious functions in writable schemas.

The security implications of this vulnerability extend to database administration practices and privilege management policies. The flaw demonstrates how seemingly benign database features can create security risks when not properly isolated from user-controlled schema modifications. Organizations using TimescaleDB should implement comprehensive monitoring for unauthorized schema modifications and telemetry job activity, as these activities may indicate exploitation attempts. The vulnerability's presence in Timescale Cloud and Managed Service for TimescaleDB instances indicates that additional security controls were implemented in these managed environments to prevent exploitation, though the base vulnerability remains present in self-hosted installations. This distinction highlights the importance of proper security hardening in self-managed database environments, particularly when dealing with extension installation and privilege escalation mechanisms. The vulnerability serves as a reminder of the critical importance of proper privilege separation and search_path management in database systems, particularly those that execute automated jobs with elevated privileges.

Responsible

GitHub, Inc.

Reservation

02/03/2023

Disclosure

02/14/2023

Moderation

accepted

CPE

ready

EPSS

0.00775

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!