CVE-2024-0985: PostgreSQL’s Critical Security Flaw Exposed
A serious security flaw has been unearthed in the popular database software PostgreSQL, raising concerns for businesses and systems administrators. This vulnerability, designated CVE-2024-0985 (CVSS 8.0), could allow attackers to execute malicious code with elevated privileges, potentially leading to data breaches and further compromise.
The heart of the issue lies in a late privilege drop in the
REFRESH MATERIALIZED VIEW CONCURRENTLY operation. This feature, designed to update materialized views without locking out concurrent users, inadvertently is the root cause of this flaw. By exploiting this vulnerability, an attacker can craft a scenario where arbitrary SQL functions are executed with the permissions of the command issuer—potentially a superuser or a member of a privileged role.
“The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker’s materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view,” reads the security advisory.
With this newfound access, an attacker can wreak havoc:
- Data Theft: Sensitive information within the database, from customer records to financial details, could be exposed.
- Unauthorized Activities: Attackers could modify data, insert malicious code, or create new database objects.
- Stepping Stone: Taking control of a PostgreSQL database can provide a crucial foothold to launch additional attacks into a compromised network.
The scope of CVE-2024-0985 is limited to versions 12 through 15 of PostgreSQL, leaving databases running these versions at the mercy of potential exploits. However, the silver lining is that PostgreSQL’s vigilant developers have fortified the ramparts in versions 16 and later, rendering the known exploit ineffective. Here’s how to act immediately:
- Upgrade, Upgrade, Upgrade! If you’re running an affected version of PostgreSQL, the most important step is immediately updating to a fixed version (12.18, 13.14, 14.11, or 15.6).
- Practice Caution: Beware of using the “REFRESH MATERIALIZED VIEW CONCURRENTLY” command on materialized views you didn’t create yourself. Treat them with extra suspicion.