Vulnerabilities > CVE-2019-3466 - Improper Privilege Management vulnerability in multiple products

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

nessus

NVD

Published: 2019-11-20

Updated: 2019-12-03

Summary

The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation.

Vulnerable Configurations

Part	Description	Count
Application	Postgresql Postgresql Postgresql Common - Postgresql Postgresql Common 91 Postgresql Postgresql Common 92 Postgresql Postgresql Common 93 Postgresql Postgresql Common 94 Postgresql Postgresql Common 95 Postgresql Postgresql Common 96 Postgresql Postgresql Common 97 Postgresql Postgresql Common 98 Postgresql Postgresql Common 99 Postgresql Postgresql Common 100 Postgresql Postgresql Common 101 Postgresql Postgresql Common 102 Postgresql Postgresql Common 103 Postgresql Postgresql Common 104 Postgresql Postgresql Common 105 Postgresql Postgresql Common 106 Postgresql Postgresql Common 107 Postgresql Postgresql Common 108 Postgresql Postgresql Common 109 Postgresql Postgresql Common 110 Postgresql Postgresql Common 111 Postgresql Postgresql Common 112 Postgresql Postgresql Common 113 Postgresql Postgresql Common 114 Postgresql Postgresql Common 115 Postgresql Postgresql Common 116 Postgresql Postgresql Common 117 Postgresql Postgresql Common 118 Postgresql Postgresql Common 119 Postgresql Postgresql Common 120 Postgresql Postgresql Common 121 Postgresql Postgresql Common 122 Postgresql Postgresql Common 123 Postgresql Postgresql Common 124 Postgresql Postgresql Common 125 Postgresql Postgresql Common 126 Postgresql Postgresql Common 127 Postgresql Postgresql Common 128 Postgresql Postgresql Common 129 Postgresql Postgresql Common 130 Postgresql Postgresql Common 131 Postgresql Postgresql Common 132 Postgresql Postgresql Common 133 Postgresql Postgresql Common 134 Postgresql Postgresql Common 135 Postgresql Postgresql Common 136 Postgresql Postgresql Common 137 Postgresql Postgresql Common 138 Postgresql Postgresql Common 139 Postgresql Postgresql Common 140 Postgresql Postgresql Common 141 Postgresql Postgresql Common 142 Postgresql Postgresql Common 143 Postgresql Postgresql Common 144 Postgresql Postgresql Common 145 Postgresql Postgresql Common 146 Postgresql Postgresql Common 147 Postgresql Postgresql Common 148 Postgresql Postgresql Common 149 Postgresql Postgresql Common 150 Postgresql Postgresql Common 151 Postgresql Postgresql Common 152 Postgresql Postgresql Common 153 Postgresql Postgresql Common 154 Postgresql Postgresql Common 155 Postgresql Postgresql Common 156 Postgresql Postgresql Common 157 Postgresql Postgresql Common 158 Postgresql Postgresql Common 159 Postgresql Postgresql Common 160 Postgresql Postgresql Common 161 Postgresql Postgresql Common 162 Postgresql Postgresql Common 163 Postgresql Postgresql Common 164 Postgresql Postgresql Common 165 Postgresql Postgresql Common 166 Postgresql Postgresql Common 167 Postgresql Postgresql Common 168 Postgresql Postgresql Common 169 Postgresql Postgresql Common 170 Postgresql Postgresql Common 171 Postgresql Postgresql Common 172 Postgresql Postgresql Common 173 Postgresql Postgresql Common 174 Postgresql Postgresql Common 175 Postgresql Postgresql Common 176 Postgresql Postgresql Common 177 Postgresql Postgresql Common 178 Postgresql Postgresql Common 179 Postgresql Postgresql Common 180 Postgresql Postgresql Common 181 Postgresql Postgresql Common 182 Postgresql Postgresql Common 183 Postgresql Postgresql Common 184 Postgresql Postgresql Common 185 Postgresql Postgresql Common 186 Postgresql Postgresql Common 187 Postgresql Postgresql Common 188 Postgresql Postgresql Common 189 Postgresql Postgresql Common 190 Postgresql Postgresql Common 191 Postgresql Postgresql Common 192 Postgresql Postgresql Common 193 Postgresql Postgresql Common 194 Postgresql Postgresql Common 195 Postgresql Postgresql Common 196 Postgresql Postgresql Common 197 Postgresql Postgresql Common 198 Postgresql Postgresql Common 199 Postgresql Postgresql Common 200 Postgresql Postgresql Common 201 Postgresql Postgresql Common 202 Postgresql Postgresql Common 203 Postgresql Postgresql Common 204 Postgresql Postgresql Common 205 Postgresql Postgresql Common 206 Postgresql Postgresql Common 207 Postgresql Postgresql Common 208 Postgresql Postgresql Common 209	120
OS	Canonical Canonical Ubuntu Linux 16.04 Canonical Ubuntu Linux 18.04 Canonical Ubuntu Linux 19.04 Canonical Ubuntu Linux 19.10	4
OS	Debian Debian Debian Linux 9.0 Debian Debian Linux 10.0	2

Common Weakness Enumeration (CWE)

CWE-269 - Improper Privilege Management

Common Attack Pattern Enumeration and Classification (CAPEC)

Restful Privilege Elevation
Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4568.NASL
description	Rich Mirch discovered that the pg_ctlcluster script didn
last seen	2020-03-17
modified	2019-11-18
plugin id	131086
published	2019-11-18
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131086
title	Debian DSA-4568-1 : postgresql-common - security update

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1994.NASL
description	Rich Mirch discovered that the pg_ctlcluster script didn
last seen	2020-06-01
modified	2020-06-02
plugin id	131085
published	2019-11-18
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131085
title	Debian DLA-1994-1 : postgresql-common security update

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4194-1.NASL
description	Rich Mirch discovered that the postgresql-common pg_ctlcluster script incorrectly handled directory creation. A local attacker could possibly use this issue to escalate privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	131074
published	2019-11-15
reporter	Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131074
title	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : postgresql-common vulnerability (USN-4194-1)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References