Lucene search

HistoryFeb 24, 2014 - 12:00 a.m.

PostgreSQL 8.4 < 8.4.20 / 9.0 < 9.0.16 / 9.1 < 9.1.12 / 9.2 < 9.2.7 / 9.3 < 9.3.3 Multiple Vulnerabilities

2014-02-2400:00:00

www.tenable.com

The version of PostgreSQL installed on the remote host is 8.4.x prior to 8.4.20, 9.0.x prior to 9.0.16, 9.1.x prior to 9.1.12, 9.2.x prior to 9.2.7 or 9.3.x prior to 9.3.3. It is, therefore, potentially affected by multiple vulnerabilities :

SET ROLE bypasses lack of ADMIN OPTION when granting roles. (CVE-2014-0060)
It is possible to elevate privileges via calls to validator functions. (CVE-2014-0061)
It is possible to elevate privileges via a race condition in CREATE INDEX. (CVE-2014-0062)
Potential buffer overruns exist due to integer overflow in size calculations. (CVE-2014-0063)
Potential buffer overruns exist in datetime input/output. (CVE-2014-0064)
Multiple fixed-size buffers exist that could potentially be overflowed. (CVE-2014-0065)
A potential NULL pointer dereference crash is possible when crypt(3) returns NULL. (CVE-2014-0066)
Multiple integer overflow vulnerabilities exist in ‘hstore_io.c’ (CVE-2014-2669)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(72659);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/04");

  script_cve_id(
    "CVE-2014-0060",
    "CVE-2014-0061",
    "CVE-2014-0062",
    "CVE-2014-0063",
    "CVE-2014-0064",
    "CVE-2014-0065",
    "CVE-2014-0066",
    "CVE-2014-2669"
  );
  script_bugtraq_id(
    65719,
    65723,
    65724,
    65725,
    65727,
    65728,
    65731,
    66557
  );

  script_name(english:"PostgreSQL 8.4 < 8.4.20 / 9.0 < 9.0.16 / 9.1 < 9.1.12 / 9.2 < 9.2.7 / 9.3 < 9.3.3 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of PostgreSQL installed on the remote host is 8.4.x prior
to 8.4.20, 9.0.x prior to 9.0.16, 9.1.x prior to 9.1.12, 9.2.x prior to
9.2.7 or 9.3.x prior to 9.3.3.  It is, therefore, potentially affected
by multiple vulnerabilities :

  - SET ROLE bypasses lack of ADMIN OPTION when granting
    roles. (CVE-2014-0060)

  - It is possible to elevate privileges via calls to
    validator functions. (CVE-2014-0061)

  - It is possible to elevate privileges via a race
    condition in CREATE INDEX. (CVE-2014-0062)

  - Potential buffer overruns exist due to integer overflow
    in size calculations. (CVE-2014-0063)

  - Potential buffer overruns exist in datetime
    input/output. (CVE-2014-0064)

  - Multiple fixed-size buffers exist that could potentially
    be overflowed. (CVE-2014-0065)

  - A potential NULL pointer dereference crash is possible
    when crypt(3) returns NULL. (CVE-2014-0066)
    
  - Multiple integer overflow vulnerabilities exist in 
    'hstore_io.c' (CVE-2014-2669)");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/about/news/1506/");
  script_set_attribute(attribute:"see_also", value:"http://www.postgresql.org/docs/8.4/static/release-8-4-20.html");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/9.0/release-9-0-16.html");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/9.1/release-9-1-12.html");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/9.2/release-9-2-7.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PostgreSQL 8.4.17 / 9.0.13 / 9.1.9 / 9.2.4 / 9.3.3 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2669");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/02/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/24");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2014-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("postgresql_version.nbin");
  script_require_ports("Services/postgresql", 5432);

  exit(0);
}

include("audit.inc");
include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:"postgresql", default:5432, exit_on_fail:TRUE);

version = get_kb_item_or_exit('database/'+port+'/postgresql/version');
source = get_kb_item_or_exit('database/'+port+'/postgresql/source');
database = get_kb_item('database/'+port+'/postgresql/database_name');

get_backport_banner(banner:source);
if (backported && report_paranoia < 2) audit(AUDIT_BACKPORT_SERVICE, port, 'PostgreSQL server');

ver = split(version, sep:'.');
for (i=0; i < max_index(ver); i++)
  ver[i] = int(ver[i]);

if (
  (ver[0] == 8 && ver[1] == 4 && ver[2] < 20) ||
  (ver[0] == 9 && ver[1] == 0 && ver[2] < 16) ||
  (ver[0] == 9 && ver[1] == 1 && ver[2] < 12) ||
  (ver[0] == 9 && ver[1] == 2 && ver[2] < 7) ||
  (ver[0] == 9 && ver[1] == 3 && ver[2] < 3)
)
{
  if (report_verbosity > 0)
  {
    report = '';
    if(database)
      report += '\n  Database name     : ' + database ;
    report +=
      '\n  Version source    : ' + source +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 8.4.20 / 9.0.16 / 9.1.12 / 9.2.7 / 9.3.3\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, 'PostgreSQL', port, version);

VendorProductVersionCPE
postgresqlpostgresqlcpe:/a:postgresql:postgresql

Vendor	Product	Version	CPE
postgresql	postgresql		cpe:/a:postgresql:postgresql

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0060

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0061

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0062

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0063

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0064

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0065

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0066

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2669

www.postgresql.org/docs/8.4/static/release-8-4-20.html

www.postgresql.org/about/news/1506/

www.postgresql.org/docs/9.0/release-9-0-16.html

www.postgresql.org/docs/9.1/release-9-1-12.html

www.postgresql.org/docs/9.2/release-9-2-7.html

JSON

PostgreSQL 8.4 < 8.4.20 / 9.0 < 9.0.16 / 9.1 < 9.1.12 / 9.2 < 9.2.7 / 9.3 < 9.3.3 Multiple Vulnerabilities

References

Related