Varonis Issues Warning After Major Vulnerability Found in PostgreSQL PL/Perl

Varonis has uncovered a high-risk vulnerability (CVE-2024-10979) in the PostgreSQL PL/Perl extension, which enables users to modify environment variables within session processes. This flaw, with a CVSS score of 8.8, could potentially allow for arbitrary code execution and serious security breaches, even without access to the underlying operating system

Vulnerability Alerts Nov 16, 2024 Add to Reading List

Varonis Issues Warning After Major Vulnerability Found in PostgreSQL PL/Perl

Varonis Identifies Critical Vulnerability in PostgreSQL PL/Perl Extension (CVE-2024-10979)

Varonis researchers have uncovered a critical security flaw (CVE-2024-10979) in the PostgreSQL PL/Perl extension, which enables unprivileged database users to modify environment variables in session processes. This vulnerability, with a CVSS severity score of 8.8, poses a significant risk as it can lead to arbitrary code execution, even without requiring access to the underlying operating system. Attackers may also execute additional queries to gather sensitive data from the affected system.

The flaw impacts PostgreSQL versions prior to 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis urges all PostgreSQL users to update their systems to the latest minor version to mitigate the risk and recommends restricting the use of extensions, especially by limiting the permissions for creating functions and controlling which extensions are allowed.

To identify whether their systems are vulnerable, PostgreSQL users should check function code for references to the $ENV hash using the following SQL query:

SELECT
proname,
prosrc
FROM
pg_proc
WHERE
prolang = (SELECT oid FROM pg_language WHERE lanname = 'plperl')
AND prosrc LIKE '%$ENV{%';

This will help identify any functions that may be modifying environment variables. Additionally, users should review their ddl logs for any unfamiliar or suspicious creation of PL/Perl functions.

The PostgreSQL team recommends a fix that replaces the trusted PL/Perl %ENV hash with a tied hash that issues warnings when modification attempts are made. This solution provides users with the ability to assess whether their applications can function without modifying the environment, and if not, they may need to switch to plperlu or another approach.

The discovery was made by Varonis researchers Tal Peleg and Coby Abrams, and the PostgreSQL project has outlined further guidance on securing systems against this vulnerability.