| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | noloader(at)gmail(dot)com |
| Cc: | Pavel Borisov <pashkin(dot)elfe(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL |
| Date: | 2023-01-10 15:47:59 |
| Message-ID: | CABUevEzq6uv39wUyu=zBW6NezXvm25U3R4i9W5+_g28KWWqT7w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Tue, Jan 10, 2023 at 4:38 PM Jeffrey Walton <noloader(at)gmail(dot)com> wrote:
> On Tue, Jan 10, 2023 at 10:20 AM Pavel Borisov <pashkin(dot)elfe(at)gmail(dot)com>
> wrote:
> > On Tue, 10 Jan 2023 at 18:07, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> > > [ ...]
> > >> I wonder what was the vulnerability in Postgres that enabled "hackers"
> > >> to run malware? I've read the article and the linked ones and found no
> > >> causative link between Postgres and malware inside. Sorry, it seems
> > >> like baseless warnings, not a description of vulnerability. Maybe I
> > >> haven't got something?
>
> From the article Pavel linked to (below), it looks like PostgreSQL may
> suffer from CWE-521, Weak Password Requirements.
Well designed systems today reject weak and wounded passwords out of
> the box. Users don't need to do something special to enjoy the
> benefit.
>
The default PostgreSQL installation on most platforms doesn't even allow
password based logins. And it doesn't allow connections across the network
at all. And it most definitely doesn't assign any weak default passwords.
Now if a user pulls out the foot gun and disables strong password
> requirements, then the user created the misconfiguration and the user
> is at fault. If the user did nothing out of the ordinary, then I would
> look for a design flaw, like letting users use weak passwords in the
> first place.
>
The reference in the first article is to "trust" authentication, which is
even worse than that -- it is explicitly asking postgres to "turn off all
authentication".
The second article doesn't actually contain anything more than a guess that
maybe the password was weak. But the core problem there more seems to be to
expose the postgres port to the public with no restrictions at all - one
should *never* do that with the database port, regardless of database. It
is correct that postgres does not itself have any defence against a brute
force attack if you use the built-in password auth (if you use an
integrated authentication method, that of course depends on the method it's
being integrated with, but for simple passwords it doesn't).
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeffrey Walton | 2023-01-10 15:58:17 | Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL |
| Previous Message | Jeffrey Walton | 2023-01-10 15:38:41 | Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL |