Amazon Linux AMI : postgresql9 Multiple Vulnerabilities (ALAS-2013-178)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

The full description of the issue is provided in the PostgreSQL
2013-04-04 Security Release FAQ, which you should read!

Here is some additional text from the PostgreSQL git log :

Database names beginning with '-' [are] treated as though they were
secure command-line switches
and this switch processing occurs before
client authentication, so that even an unprivileged remote attacker
could exploit the bug, needing only connectivity to the postmaster's
port. Assorted exploits for this are possible, some requiring a valid
database login, some not. The worst known problem is that the '-r'
switch can be invoked to redirect the process's stderr output, so that
subsequent error messages will be appended to any file the server can
write. This can for example be used to corrupt the server's
configuration files, so that it will fail when next restarted.
Complete destruction of database tables is also possible.

See also :

http://aws.amazon.com/amazon-linux-ami/2013.03-release-notes/
http://www.nessus.org/u?9f4ede66
http://www.postgresql.org/support/security/faq/2013-04-04/
https://aws.amazon.com/amazon-linux-ami/faqs/#postgresql9
http://www.nessus.org/u?ae39357d

Solution :

Run 'yum update 'postgresql9*'' to update your system and run 'service
postgresql restart' to restart the database service.

If remediating this security vulnerability is also causing you to
update from PostgreSQL 9.1 to PostgreSQL 9.2, please see our FAQ entry
on the upgrade process or re-launch your instance with a 2013.03
Amazon Linux AMI.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
Public Exploit Available : true

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 69737 ()

Bugtraq ID:

CVE ID: CVE-2013-1899
CVE-2013-1900
CVE-2013-1901