AWS has updated the software underneath its Aurora PostgreSQL and RDS (relational database service) for PostgreSQL, after a security researcher found a path to credential exposure and privilege escalation.
Lightspin’s Gafnit Amiga found the vulnerability doing a security analysis of a PostgreSQL instance created on RDS.
What Amiga found is that following a directory traversal, she could access a configuration file containing an AWS internal token.
“Within transiting three different files I was able to discover an internal AWS service and gain access to it. This is where my analysis and research ended, I did not attempt to enumerate any IAM permissions or move further laterally into AWS’ internal environment,” Amiga wrote in this blog post.
As the researcher noted: “wrapping third-party services such as PostgreSQL and trying to provide users with advanced features is sometimes a double-edged sword.”
The bug was reported to AWS, and fixed, last December, with Amiga’s timeline noting that all affected customers were contacted and all supported versions fixed by March 22 this year.
AWS went public with the vulnerability on April 12.
In its advisory, the cloud company said Amiga had found “internal credentials that were specific to their Aurora cluster.”
The post continued: “No cross-customer or cross-cluster access was possible; however, highly privileged local database users who could exercise this issue could potentially have gained additional access to data hosted in their cluster or read files within the operating system of the underlying host running their database.”
AWS also provides a summary of Lightspin’s work: a third-party extension for PostgreSQL, log_fdw, provides log query functions and is pre-installed with both Amazon Aurora PostgreSQL and RDS for PostgreSQL.
“The issue permitted the researcher to examine the contents of local system files of the database instance within their account, including a file which contained credentials specific to Aurora”, the post stated.
“The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved.”
Both Aurora PostgreSQL and RDS for PostgreSQL have been updated, and older versions have been deprecated so customers can’t use them to create new instances.
At the time of writing, iTnews was unable to find a Common Vulnerabilities and Exposures (CVE) database entry for the vulnerability.