GHSA-9CFH-VX93-84VV

Vulnerability from github – Published: 2023-05-10 19:20 – Updated: 2023-05-10 19:20
VLAI?
Summary
PostgresNIO processes unencrypted bytes from man-in-the-middle
Details

Impact

Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption.

The remaining text in this section is quoted verbatim from PostgreSQL's CVE-2021-23222 advisory:

If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214. As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient).

Patches

The vulnerability is addressed in PostgresNIO versions starting from 1.14.2 via 2df54bc94607f44584ae6ffa74e3cd754fffafc7, which required additional support from SwiftNIO.

Workarounds

There are no known workarounds for unpatched users.

Additional Credits

Special thanks to PostgreSQL's Tom Lane <tgl@sss.pgh.pa.us> for reporting this issue!

References

Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/vapor/postgres-nio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-10T19:20:16Z",
    "nvd_published_at": "2023-05-09T14:15:13Z",
    "severity": "LOW"
  },
  "details": "### Impact\nAny user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client\u0027s first few queries, despite the use of TLS certificate verification and encryption.\n\n_The remaining text in this section is quoted verbatim from [PostgreSQL\u0027s CVE-2021-23222 advisory](https://www.postgresql.org/support/security/CVE-2021-23222/):_\n\n\u003e If more preconditions hold, the attacker can exfiltrate the client\u0027s password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client\u0027s intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/). As with any exploitation of [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/), the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/). The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient).\n\n### Patches\nThe vulnerability is addressed in PostgresNIO versions starting from [1.14.2](https://github.com/vapor/postgres-nio/releases/tag/1.14.2) via [2df54bc94607f44584ae6ffa74e3cd754fffafc7](https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7), which required [additional support](https://github.com/apple/swift-nio/pull/2419) from SwiftNIO.\n\n### Workarounds\nThere are no known workarounds for unpatched users.\n\n### Additional Credits\nSpecial thanks to PostgreSQL\u0027s Tom Lane \u003c[tgl@sss.pgh.pa.us](mailto:tgl@sss.pgh.pa.us)\u003e for reporting this issue!\n\n### References\n- [PostgreSQL security advisory for CVE-2021-23222](https://www.postgresql.org/support/security/CVE-2021-23222/)\n- [GitHub security advisory GHSA-735f-7qx4-jqq5 for CVE-2021-23222](https://github.com/advisories/GHSA-735f-7qx4-jqq5)\n- [PostgreSQL security advisory for CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/)\n- [GitHub security advisory GHSA-467w-rrqc-395f for CVE-2021-23214](https://github.com/advisories/GHSA-467w-rrqc-395f)\n- [SwiftNIO PR #2419 Add unprocessedBytes property on NIOSingleStepByteToMessageProcessor](https://github.com/apple/swift-nio/pull/2419)\n- [PostgresNIO commit 2df54bc94607f44584ae6ffa74e3cd754fffafc7](https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7)\n- [PostgresNIO 1.42.2 release](https://github.com/vapor/postgres-nio/releases/tag/1.14.2)",
  "id": "GHSA-9cfh-vx93-84vv",
  "modified": "2023-05-10T19:20:16Z",
  "published": "2023-05-10T19:20:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31136"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/pull/2419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-467w-rrqc-395f"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-735f-7qx4-jqq5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vapor/postgres-nio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vapor/postgres-nio/releases/tag/1.14.2"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/support/security/CVE-2021-23214"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/support/security/CVE-2021-23222"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PostgresNIO processes unencrypted bytes from man-in-the-middle"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.