[Sec-cert] [Sun] Schwachstellen in PostgreSQL - Sun Alert 274870

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Mo Jan 4 16:41:23 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2009-4034 - Fehler bei der Auswertung von Zertifikaten mit NULL
Bytes in PostgreSQL

  PostgresSQL akzeptiert NULL Zeichen im Domain Namen des CN-Felds eines
  X.509 Zertifikats. Ein Angreifer kann diese Schwachstelle dazu
  ausnutzen, ein Zertifkat mit NULL Zeichen zu konstruieren und damit
  vorgeben, dass sein Zertifikat zu einer anderen Site gehoert.
  Allerdings muss er dazu sein Zertifikat von einer vertrauenswuerdigen
  CA signieren lassen. Auf diese Weise kann er Man-in-the-Middle
  Angriffe durchfuehren oder Client-Hostname Beschraenkungen umgehen. 
  
  Diese Schwachstelle ist aehnlich wie CVE-2009-2408.

CVE-2009-4136 - Privilegieneskalation in Verbindung mit einer Index
Funktion

  In PostgreSQL befindet sich ein Fehler bei der Verwaltung des
  "session-local" Status bei der Ausfuehrung einer Index Funktion als
  superuser. Ein authentifizierter Benutzer kann diese Schwachstelle zum
  Erweitern seiner Berechtigungen ausnutzen, indem er eine Datenbank mit
  entsprechend aufgebauten Index Funktionen anlegt. Diese Schwachstelle
  ist aehnlich wie CVE-2007-6600 und CVE-2009-3230.

Betroffen sind die folgenden Software Pakete und Plattformen:

  PostgreSQL 8.1, 8.2, 8.3

  SPARC Plattform
  * Solaris 10 6/06 (oder neuer) mit PostgreSQL 8.1
  * Solaris 10 8/07 (oder neuer) mit PostgreSQL 8.2
  * Solaris 10 10/08 (oder neuer) mit PostgreSQL 8.3
  * OpenSolaris PostgreSQL 8.1 basierend auf den Builds snv_35 bis snv_109
  * OpenSolaris PostgreSQL 8.2 basierend auf den Builds snv_56 bis snv_130
  * OpenSolaris PostgreSQL 8.3 basierend auf den Builds snv_87 bis snv_130
  
  x86 Plattform
  * Solaris 10 6/06 (oder neuer) mit PostgreSQL 8.1
  * Solaris 10 8/07 (oder neuer) mit PostgreSQL 8.2
  * Solaris 10 10/08 (oder neuer) mit PostgreSQL 8.3
  * OpenSolaris PostgreSQL 8.1 basierend auf den Builds snv_35 bis snv_109
  * OpenSolaris PostgreSQL 8.2 basierend auf den Builds snv_56 bis snv_130
  * OpenSolaris PostgreSQL 8.3 basierend auf den Builds snv_87 bis snv_130

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-274870-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

17. DFN Workshop    "Sicherheit in vernetzten Systemen"    09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html

Alert URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-274870-1
Sun Security Alert: 274870

   Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow
   Escalation of Privileges or Man-in-the-Middle on SSL Connections
    __________________________________________________________________

   Category : Security
   Release Phase : Workaround
   Bug Id : 6909139, 6909140, 6909142
   Product : Solaris 10 Operating System
   OpenSolaris
   Date of Workaround Release : 24-Dec-2009
Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalatio
n of Privileges or Man-in-the-Middle on SSL Connections

   1. Impact
   Multiple security vulnerabilities have been identified in the
   PostgreSQL software shipped with Solaris. These vulnerabilities may
   allow a remote authenticated user with certain privileges to gain extra
   privileges via a table with a crafted index function. Further
   vulnerabilities may allow man-in-the-middle attacks on SSL based
   PostgreSQL servers by substituting malicious SSL certificates for
   trusted ones.
   These issues are described in the following documents:
   Official PostgreSQL annoucement at
   http://www.postgresql.org/about/news.1170
   CVE-2009-4034 at
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4034
   CVE-2009-4136 at
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4136
   2. Contributing Factors
   These issues can occur in the following releases:
   SPARC Platform
     * Solaris 10 6/06 (or later) PostgreSQL 8.1
     * Solaris 10 8/07 (or later) PostgreSQL 8.2
     * Solaris 10 10/08 (or later) PostgreSQL 8.3
     * OpenSolaris PostgreSQL 8.1 based upon builds snv_35 through snv_109
     * OpenSolaris PostgreSQL 8.2 based upon builds snv_56 through snv_130
     * OpenSolaris PostgreSQL 8.3 based upon builds snv_87 through snv_130

   x86 Platform
     * Solaris 10 6/06 (or later) PostgreSQL 8.1
     * Solaris 10 8/07 (or later) PostgreSQL 8.2
     * Solaris 10 10/08 (or later) PostgreSQL 8.3
     * OpenSolaris PostgreSQL 8.1 based upon builds snv_35 through snv_109
     * OpenSolaris PostgreSQL 8.2 based upon builds snv_56 through snv_130
     * OpenSolaris PostgreSQL 8.3 based upon builds snv_87 through snv_130

   Notes:
   1. Solaris 8 and 9 do not ship with PostgreSQL and are not impacted by
   these issues.
   2. A user must have an account on the PostgreSQL server to exploit the
   issue described in CVE-2009-4136.
   3. The CVE-2009-4034 and CVE-2009-4136 issues affect PostgreSQL 7.4.x
   prior to 7.4.27, 8.0.x prior to 8.0.23, 8.1.x prior to 8.1.19, 8.2.x
   prior to 8.2.15 and 8.3.x prior to 8.3.9 and versions 8.4.x prior to
   8.4.2.
   4. PostgreSQL 8.1 (SUNWpostgr), 8.2 (packages beginning with
   SUNWpostgr-82) and 8.3 (packages beginning with SUNWpostgr-83)  can be
   installed at the same time and are separately impacted by these
   vulnerabilities.
   To determine if a version of PostgreSQL is installed, a command such as
   the following can be used:
$ pkginfo | grep SUNWpostgr
system      SUNWpostgr             PostgreSQL 8.1.9 client programs and librari
es
system      SUNWpostgr-82-client   PostgreSQL 8.2 client tools

   To determine if PostgreSQL is running on a server, a command such as
   the following can be run as the user 'postgres' (or the 'root' user):
   for PostgreSQL 8.1:
$ pg_ctl status -D /var/lib/pgsql/data/
pg_ctl: neither postmaster nor postgres running

   for PostgreSQL 8.2:
$ /usr/postgres/8.2/bin/pg_ctl status -D /var/postgres/8.2/data/
pg_ctl: server is running (PID: 395)

   for PostgreSQL 8.3:
$ /usr/postgres/8.3/bin/pg_ctl status -D /var/postgres/8.3/data/
pg_ctl: server is running (PID: 395)

   or (where applicable):
$ svcs -a | grep postgresql
disabled       17:12:37 svc:/application/database/postgresql_83:default_32bit
disabled       17:12:37 svc:/application/database/postgresql:version_82
disabled       17:12:37 svc:/application/database/postgresql:version_82_64bit
online         17:13:05 svc:/application/database/postgresql_83:default_64bit

   3. Symptoms
   There are no predictable symptoms that would indicate the described
   issues have been exploited.
   4. Workaround
   To prevent the issue described in CVE-2009-4136 from being freshly
   exploited, the database administrator can revoke the "create" privilege
   from users by running the following commands:
   REVOKE CREATE ON SCHEMA <schema> FROM <user>;
   or
   REVOKE CREATE ON TABLESPACE <tablespace> FROM <user>;
   Preliminary T-Patches are available for the following releases from
   http://sunsolve.sun.com/tpatches:
   SPARC Platform
     * Solaris 10 6/06 (or later) PostgreSQL 8.1 T-patch T123590-12
     * Solaris 10 8/07 (or later) PostgreSQL 8.2 T-patch T136998-08
     * Solaris 10 10/08 (or later) PostgreSQL 8.3 T-patch T138826-06

   x86 Platform
     * Solaris 10 6/06 (or later) PostgreSQL 8.1 T-patch T123591-12
     * Solaris 10 8/07 (or later) PostgreSQL 8.2 T-patch T136999-08
     * Solaris 10 10/08 (or later) PostgreSQL 8.3 T-patch T138827-06

   This document refers to one or more preliminary temporary patches
   (T-Patches) which are designed to address the concerns identified
   herein. Sun has limited experience with these patches due to their
   preliminary nature. As such, you should only install the patches on
   systems meeting the configurations described above. Sun may release
   full patches at a later date, however, Sun is under no obligation
   whatsoever to create, release, or distribute any such patch.
   5. Resolution
   These issues are addressed in the following releases:
   SPARC Platform
     * OpenSolaris PostgreSQL 8.1 based upon builds snv_110 or later
     * OpenSolaris PostgreSQL 8.2 based upon builds snv_131 or later
     * OpenSolaris PostgreSQL 8.3 based upon builds snv_131 or later

   x86 Platform
     * OpenSolaris PostgreSQL 8.1 based upon builds snv_110 or later
     * OpenSolaris PostgreSQL 8.2 based upon builds snv_131 or later
     * OpenSolaris PostgreSQL 8.3 based upon builds snv_131 or later

   Note PostgreSQL 8.1 was removed from OpenSolaris snv_110 onwards.
   A final resolution is pending completion for Solaris 10.
   For more information on Security Sun Alerts, see Technical Instruction
   ID 213557.
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
   ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
   OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
   Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   Attachments
This solution has no attachment



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLQgwjk0kIxZMiiQ8RAvO5AKC/KonOcj4EYgcUCvUIRLKXErpGOgCbBQ1O
7elECRLfDl3k+B2TiVnLgm4=
=fhSA
-----END PGP SIGNATURE-----



Mehr Informationen über die Mailingliste Sec-cert