The Schemaverse was hacked!

Well, that didn’t take long :) I wanted to leave the public database unpatched for a couple days to see how long it would take somebody to compromise it after the announcement of a serious vulnerability. About 24 hours after the release, this little file showed up in my /data directory.

-bash-4.1$ ls -l total 108 drwx------. 8 postgres postgres 4096 Oct 9 14:08 base drwx------. 2 postgres postgres 4096 Apr 6 17:30 global drwx------. 2 postgres postgres 4096 Apr 5 16:25 pg_clog -rw-------. 1 postgres postgres 3982 Oct 29 11:10 pg_hba.conf -rw-------. 1 postgres postgres 1636 Oct 9 10:10 pg_ident.conf drwx------. 2 postgres postgres 4096 Oct 15 00:00 pg_log drwx------. 4 postgres postgres 4096 Oct 9 10:10 pg_multixact drwx------. 2 postgres postgres 4096 Apr 6 17:30 pg_notify drwx------. 2 postgres postgres 4096 Oct 9 10:10 pg_serial drwx------. 2 postgres postgres 4096 Oct 9 10:10 pg_snapshots drwx------. 2 postgres postgres 4096 Apr 6 17:30 pg_stat_tmp drwx------. 2 postgres postgres 4096 Apr 6 15:50 pg_subtrans drwx------. 2 postgres postgres 4096 Oct 9 10:10 pg_tblspc drwx------. 2 postgres postgres 4096 Oct 9 10:10 pg_twophase -rw-------. 1 postgres postgres 4 Oct 9 10:10 PG_VERSION drwx------. 3 postgres postgres 4096 Apr 6 17:26 pg_xlog -rw-------. 1 postgres postgres 19660 Apr 4 08:59 postgresql.conf -rw-------. 1 postgres postgres 71 Apr 4 08:59 postmaster.opts -rw-------. 1 postgres postgres 72 Apr 4 08:59 postmaster.pid -rw-------. 1 postgres postgres 535 Apr 5 05:33 SECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW -bash-4.1$ cat SECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW ?otFATAL: no pg_hba.conf entry for host "***", user "***", database "-rSECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW", SSL on DETAIL: Client IP address resolved to "c-***", forward lookup not checked.

?otFATAL: no pg_hba.conf entry for host "***", user "***", database "-rSECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW", SSL off

DETAIL: Client IP address resolved to "c-***", forward lookup not checked.

-bash-4.1$

This kind ‘attacker’ could have easily destroyed the entire database. Instead, they just wrote me a nice note on my file system.

Now, as a good security professional, I get to rebuild a server.

Please, please, please take this as a warning for anybody else currently running anything less than PostgreSQL 9.2.4, 9.1.9, 9.0.13 or 8.4.17. Vulnerability CVE-2013-1899 is serious and needs to be addressed immediately. Hiding behind a firewall will make this far less of a threat but please don’t rely on that, just patch your damn box!

For more details on the security release that resolves this issue, follow these links and get your servers patched!

http://www.postgresql.org/about/news/1456/

http://www.postgresql.org/support/security/faq/2013-04-04/

http://www.postgresql.org/download/