Amazon Linux AMI : postgresql93 / postgresql94,postgresql95 (ALAS-2017-839)

2017-06-0700:00:00

www.tenable.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.005

Percentile

77.5%

JSON

Selectivity estimators bypass SELECT privilege checks

It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484)

libpq ignores PGREQUIRESSL environment variable

It was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2017-7485)

pg_user_mappings view discloses foreign server passwords

It was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database. (CVE-2017-7486)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2017-839.
#

include("compat.inc");

if (description)
{
  script_id(100640);
  script_version("3.5");
  script_cvs_date("Date: 2018/04/18 15:09:36");

  script_cve_id("CVE-2017-7484", "CVE-2017-7485", "CVE-2017-7486");
  script_xref(name:"ALAS", value:"2017-839");

  script_name(english:"Amazon Linux AMI : postgresql93 / postgresql94,postgresql95 (ALAS-2017-839)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Selectivity estimators bypass SELECT privilege checks

It was found that some selectivity estimation functions did not check
user privileges before providing information from pg_statistic,
possibly leaking information. An unprivileged attacker could use this
flaw to steal some information from tables they are otherwise not
allowed to access. (CVE-2017-7484)

libpq ignores PGREQUIRESSL environment variable

It was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS
connection to a PostgreSQL server. An active Man-in-the-Middle
attacker could use this flaw to strip the SSL/TLS protection from a
connection between a client and a server. (CVE-2017-7485)

pg_user_mappings view discloses foreign server passwords

It was found that the pg_user_mappings view from postgresql could
disclose information about user mappings to a foreign database to
unprivileged users. An authenticated attacker with USAGE privilege for
this mapping could, when querying the view, obtain user mapping data,
such as the username and password used to connect to the foreign
database. (CVE-2017-7486)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2017-839.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Run 'yum update postgresql93' to update your system.

Run 'yum update postgresql94' to update your system.

Run 'yum update postgresql95' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-contrib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-plperl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-plpython26");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-plpython27");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-pltcl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql93-test");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-contrib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-plperl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-plpython26");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-plpython27");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql94-test");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-contrib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-plperl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-plpython26");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-plpython27");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-static");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:postgresql95-test");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/07");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"postgresql93-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-contrib-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-debuginfo-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-devel-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-docs-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-libs-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-plperl-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-plpython26-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-plpython27-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-pltcl-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-server-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql93-test-9.3.17-1.63.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-contrib-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-debuginfo-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-devel-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-docs-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-libs-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-plperl-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-plpython26-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-plpython27-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-server-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql94-test-9.4.12-1.68.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-contrib-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-debuginfo-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-devel-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-docs-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-libs-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-plperl-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-plpython26-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-plpython27-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-server-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-static-9.5.7-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"postgresql95-test-9.5.7-1.72.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "postgresql93 / postgresql93-contrib / postgresql93-debuginfo / etc");
}