解讀2017-08-10釋出的幾個安全漏洞
標籤
PostgreSQL , 安全漏洞 , CVE-2017-7546 , CVE-2017-7547 , CVE-2017-7548
背景
PostgreSQL 社群於08-10釋出了新版本,修復了三個安全漏洞。
https://www.postgresql.org/about/news/1772/
CVE-2017-7546:
Empty password accepted in some authentication methods
CVE-2017-7547:
The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges
CVE-2017-7548:
lo_put() function ignores ACLs
下面一一進行解讀。
CVE-2017-7546 允許空密碼登陸漏洞
注意,libpq介面的客戶端,都會自動拒絕空密碼的使用者登陸,這個行為可能誤導使用者認為空密碼就是不允許登陸的。
而實際上並非如此,其他客戶端驅動可能允許空密碼登陸,這個漏洞修復了這個問題。在服務端拒絕空密碼的使用者登陸。
所以你如果不使用空密碼,就不會有這個問題。
Don`t allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn`t allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn`t correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
CVE-2017-7547 允許未授予USAGE許可權的使用者讀取foreign server配置
這個漏洞和foreign server有關,通常某個使用者u1要使用FOREIGN SERVER需要分為幾個步驟。
1、建立foreign server S1,裡面包含SERVER的連線資訊。
2、賦予foreign server S1的usage許可權給某個使用者u1。(本漏洞所在。)
3、基於這個foreign server S1建立u1的user mapping,裡面包含登陸這個foreign server的資訊。
4、現在u1可以基於這個foreign server S1建立外部表。
現在的漏洞是,沒有操作第2步,普通使用者u1可以查詢pg_user_mapping表,得到登陸這個foreign server的資訊(例如連線這個外部server的使用者和密碼)。
Again match pg_user_mappings to information_schema.user_mapping_options.
Commit 3eefc51053f250837c3115c12f8119d16881a2d7 claimed to make
pg_user_mappings enforce the qualifications user_mapping_options had
been enforcing, but its removal of a longstanding restriction left them
distinct when the current user is the subject of a mapping yet has no
server privileges. user_mapping_options emits no rows for such a
mapping, but pg_user_mappings includes full umoptions. Change
pg_user_mappings to show null for umoptions. Back-patch to 9.2, like
the above commit.
Reviewed by Tom Lane. Reported by Jeff Janes.
Security: CVE-2017-7547
已修復後,例子
-GRANT USAGE ON FOREIGN SERVER s10 TO regress_unprivileged_role;
--- owner of server can see option fields
+CREATE USER MAPPING FOR regress_unprivileged_role SERVER s10 OPTIONS (user `secret`);
+-- unprivileged user cannot see any option field
SET ROLE regress_unprivileged_role;
deu+
List of user mappings
Server | User name | FDW options
--------+---------------------------+-------------
s10 | public |
+ s10 | regress_unprivileged_role | -- 未修復時,這裡會顯示user `secret`
s4 | regress_foreign_data_user |
s5 | regress_test_role |
s6 | regress_test_role |
老版本要修復這個問題,請參考 https://www.postgresql.org/about/news/1772/ ,需要修改系統表的資訊。
所以,如果你繼續使用老版本,你要回收某個使用者的foreign server許可權,請同時刪除user mapping。就不會有問題。
CVE-2017-7548 大物件操作函式lo_put()未檢測寫許可權
漏洞描述:
在沒有某個大物件的UPDATE許可權時,使用者依舊可以使用lo_put()函式操作這個大物件。
修復後,需要賦予這個大物件UPDATE許可權,才可以呼叫lo_put()操作這個大物件。
Require update permission for the large object written by lo_put().
lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack. Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.
Tom Lane and Michael Paquier
Security: CVE-2017-7548
修復後的例子如下
src/test/regress/expected/privileges.out
SET SESSION AUTHORIZATION regress_user1;
1186 SELECT lo_create(1001);
1187 lo_create
1188 -----------
1189 1001
1190 (1 row)
1191
1192 SELECT lo_create(1002);
1193 lo_create
1194 -----------
1195 1002
1196 (1 row)
1197
1216 GRANT ALL ON LARGE OBJECT 1001 TO PUBLIC;
1217 GRANT SELECT ON LARGE OBJECT 1003 TO regress_user2;
1218 GRANT SELECT,UPDATE ON LARGE OBJECT 1004 TO regress_user2;
1219 GRANT ALL ON LARGE OBJECT 1005 TO regress_user2;
1220 GRANT SELECT ON LARGE OBJECT 1005 TO regress_user2 WITH GRANT OPTION;
1221 GRANT SELECT, INSERT ON LARGE OBJECT 1001 TO PUBLIC; -- to be failed
1222 ERROR: invalid privilege type INSERT for large object
1223 GRANT SELECT, UPDATE ON LARGE OBJECT 1001 TO nosuchuser; -- to be failed
1224 ERROR: role "nosuchuser" does not exist
1225 GRANT SELECT, UPDATE ON LARGE OBJECT 999 TO PUBLIC; -- to be failed
1226 ERROR: large object 999 does not exist
1227 c -
1228 SET SESSION AUTHORIZATION regress_user2;
1299 -- confirm ACL setting
1300 SELECT oid, pg_get_userbyid(lomowner) ownername, lomacl FROM pg_largeobject_metadata WHERE oid >= 1000 AND oid < 3000 ORDER BY oid;
1301 oid | ownername | lomacl
1302 ------+---------------+------------------------------------------------------------------------------------------------
1303 1001 | regress_user1 | {regress_user1=rw/regress_user1,=rw/regress_user1}
1304 1002 | regress_user1 |
1305 1003 | regress_user1 | {regress_user1=rw/regress_user1,regress_user2=r/regress_user1}
1306 1004 | regress_user1 | {regress_user1=rw/regress_user1,regress_user2=rw/regress_user1}
1307 1005 | regress_user1 | {regress_user1=rw/regress_user1,regress_user2=r*w/regress_user1,regress_user3=r/regress_user2}
1308 2001 | regress_user2 | {regress_user2=rw/regress_user2,regress_user3=rw/regress_user2}
1309 (6 rows)
+SELECT loread(lo_open(1001, x`20000`::int), 32); -- allowed, for now
+ loread
+--------
+ x
+(1 row)
+
+SELECT lowrite(lo_open(1001, x`40000`::int), `abcd`); -- fail, wrong mode
+ERROR: large object descriptor 0 was not opened for writing
+SELECT lo_put(1002, 1, `abcd`); -- to be denied
+ERROR: permission denied for large object 1002
相關文章
- npm module 釋出 遇到的幾個問題NPM
- rmi幾個出錯解決
- 眾至科技漏洞通告 | 微軟11月釋出多個安全漏洞微軟
- 蘋果釋出Mac OS X補丁 修復17個安全漏洞蘋果Mac
- Gitea 釋出 1.0.2 版本,修正幾個嚴重的 bugGit
- 幾個網路常見的名詞解釋
- 從0釋出一個遊戲需要幾個步驟?遊戲
- kfed 工具讀出的各項內容解釋
- AdobeReader9.3.2釋出修補15個安全漏洞
- 微軟釋出五月累積更新,修復74個安全漏洞微軟
- Java 11正式釋出,新特性解讀Java
- 對超執行緒幾個不同角度的解釋執行緒
- 解決mysql出現幾個l的問題MySql
- MySQL又曝出多個安全漏洞MySql
- Gitea 釋出 1.0.2版本,修正幾個嚴重的bugGit
- RDS釋出會解讀| AliSQL核心新特性SQL
- 釋出新聞稿必須瞭解的幾個問題
- 【舊文新讀】解釋“閉包”需要幾行程式碼?行程
- 幾個非常經典的對“資料倉儲”的解釋(ZT)
- K8S 1.11 重磅釋出| 全面解讀 11 個重大功能更新K8S
- 高通釋出VR和AR報告:解讀下一個通用計算平臺VR
- PP模組幾個常見易混淆名詞的解釋與理解!
- 執行緒的幾個狀態,及若干名詞解釋執行緒
- Rancher v2.6.4 社群版釋出 | 新特性解讀
- SpringBoot 3.0正式釋出,有這幾個新變化!Spring Boot
- New的幾個問題 詳解 --讀你必須知道的.NET筆記筆記
- 在大補丁釋出之後,新的Java安全漏洞被發現Java
- Java 11正式釋出,這幾個逆天新特性教你寫出更牛逼的程式碼Java
- Lucene 4.0 正式版釋出,亮點特性中文解讀
- 讀懂這幾個關鍵詞,你就能瞭解 Docker 啦Docker
- 年度釋出解讀| PolarDB for MySQL:DDL的最佳化和演進MySql
- 蘋果釋出iOS 12.1.4更新 已修復Facetime安全漏洞蘋果iOS
- 蘋果釋出 OS X Mavericks 10.9.2,修復 SSL 安全漏洞蘋果
- Java11正式釋出,這幾個逆天新特性教你寫出更牛逼的程式碼Java
- Debian 釋出安全更新修復近期披露的英特爾 MDS 安全漏洞
- 阿里巴巴釋出的《2015移動安全漏洞年報》阿里
- Tkprof命令輸出的解釋:
- 線性模型是否真的能給出一個很好的解釋?模型