FOCUS FRIDAY: TPRM INSIGHTS ON CRITICAL POSTGRESQL AND PGADMIN VULNERABILITIES

Written by: Ferhat Dikbiyik Additional Contributions: Ferdi Gül

In this week’s edition of Focus Friday, we’re diving deep into two critical vulnerabilities that have caught the attention of cybersecurity and TPRM professionals worldwide. Our spotlight shines on the PostgreSQL and pgAdmin systems, unpacking the intricate details of the vulnerabilities that pose a threat to organizational security. Join us as we explore the implications of these vulnerabilities and how they underscore the importance of vigilant third-party risk management in today’s digital landscape.

POSTGRESQL SQL INJECTION VULNERABILITY (CVE-2024-1597)

What is CVE-2024-1597?

CVE-2024-1597 is a critical SQL injection vulnerability discovered in the PostgreSQL JDBC Driver’s pgjdbc when the PreferQueryMode parameter is set to SIMPLE. This configuration is not the default setting, meaning systems using default settings are not at risk. Exploitation of this vulnerability can lead to data theft, alteration, or even execution of unauthorized programs on the database. This flaw was first published on February 21, 2024, and affects versions prior to 42.7.2, among others. A proof of concept (POC) for the exploit is available, highlighting the practical risks associated with this vulnerability.

Why Should TPRM Professionals Care?

This vulnerability poses a significant risk, particularly for environments utilizing PostgreSQL databases in non-default configurations. Unauthenticated attackers’ ability to execute SQL injections can lead to severe confidentiality, integrity, and availability impacts. Given the availability of POC exploit code, TPRM professionals should prioritize this vulnerability due to its critical nature and the potential for widespread exploitation.

What Questions Should TPRM Professionals Ask?

1. Have you identified any usage of the vulnerable pgjdbc versions in your environment?
2. Is the PreferQueryMode parameter set to SIMPLE in any of your PostgreSQL JDBC Drivers?
3. What steps have you taken to update the affected pgjdbc driver versions to the patched versions?
4. How are you monitoring your network for unusual activities that might indicate exploitation of this vulnerability?

Remediation Recommendations for Vendors

• Update the pgjdbc driver to the latest patched versions: 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, or 42.2.28.
• Change the PreferQueryMode parameter to EXTENDED to avoid this vulnerability.
• Use parameterized queries to prevent SQL injection attacks.
• Implement security measures such as restricting database access and using firewalls or web application firewalls (WAFs).

Leveraging Black Kite for CVE-2024-1597

Black Kite provides a Focus Tag for this specific vulnerability, enabling TPRM professionals to quickly identify potentially affected vendors and assets. By utilizing Black Kite’s platform, professionals can streamline their risk assessment process for this and similar vulnerabilities, focusing their efforts where they are most needed and operationalizing the insights gained from the platform. The capability to pinpoint vulnerable assets directly translates into more effective and efficient risk management practices.

PGADMIN PATH TRAVERSAL AND RCE (CVE-2024-2044)

What is the CVE-2024-2044 Vulnerability in pgAdmin?

CVE-2024-2044 is identified as a critical path traversal and remote code execution (RCE) vulnerability in pgAdmin, affecting versions up to 8.3. It exploits session deserialization on Windows and POSIX/Linux servers under specific conditions, facilitating unauthorized code execution. First reported on March 25, 2024, it underscores a significant risk without requiring user interaction for exploitation, although it hasn’t been cataloged by CISA’s KEV as of the latest update.

Why is CVE-2024-2044 Significant for TPRM Professionals?

From a TPRM perspective, this vulnerability necessitates urgent attention due to its potential to compromise systems by executing arbitrary code. It highlights the importance of secure session management and the need for stringent network access controls, especially in environments utilizing pgAdmin. Understanding the risk this vulnerability poses to data integrity and system security is paramount for mitigating potential threats efficiently.

What Questions Should TPRM Professionals Ask to Vendors?

1. Which versions of pgAdmin are currently deployed within your infrastructure?
2. Have measures been taken to upgrade pgAdmin to version 8.4 or later?
3. What safeguards are in place to limit access to pgAdmin interfaces?
4. Are there monitoring systems to detect unusual network activities indicating potential exploitation?

Remediation Recommendations for Vendors

Vendors are urged to:

• Upgrade immediately to pgAdmin version 8.4 or later.
• Limit pgAdmin usage to trusted networks and restrict access.
• Implement a Web Application Firewall (WAF) to mitigate potential exploitation.
• Regularly monitor for signs of unauthorized access or exploitation attempts.

Leveraging Black Kite for CVE-2024-2044

Black Kite’s Focus Tag for CVE-2024-2044 empowers TPRM professionals to identify at-risk vendors and assets efficiently. The platform’s timely publication of this tag and its detailed asset risk information enables a targeted approach to vulnerability management, highlighting Black Kite’s commitment to actionable cyber risk intelligence.

EMPOWERING TPRM WITH BLACK KITE’S CUTTING-EDGE FOCUS TAGS?

Black Kite’s Focus Tags? revolutionize Third-Party Risk Management (TPRM) by converting complex cybersecurity challenges into actionable intelligence. This week, we underscore the significance of the PostgreSQL and pgAdmin vulnerabilities, highlighting how Black Kite’s innovative Focus Tags? play a pivotal role in:

• Dynamic Detection: Rapidly identifying vendors and assets at risk due to emerging vulnerabilities.
• Risk Strategy Optimization: Providing vital data to prioritize actions based on the severity of the threat and the critical role of affected vendors.
• Facilitating Strategic Dialogues: Enabling precise, informed conversations with vendors about specific vulnerabilities impacting their systems.
• Enhancing Security Postures: Broadening the perspective on cybersecurity threats to fortify defenses against sophisticated cyber attacks.

By integrating Black Kite’s Focus Tags? into your TPRM strategy, you gain a powerful ally in navigating the complex cybersecurity terrain, ensuring a proactive stance against threats and safeguarding your digital ecosystem against the unforeseen challenges of tomorrow.

FOCUS TAGS? IN THE LAST 30 DAYS:

• PostgreSQL: CVE-2024-1597, SQL Injection Vulnerability in PostgreSQL JDBC Driver.
• pgAdmin: CVE-2024-2044, Path Traversal Vulnerability, RCE Vulnerability in pgAdmin 8.3 and before.
• FortiClient EMS: CVE-2023-48788, SQL Injection Vulnerability in Fortinet’s FortiClient Endpoint Management Server
• FortiOS SSL VPN: CVE-2024-21762, A Out-of-Bounds Write Vulnerability in FortiOS [Tag updated]
• Outlook RCE: CVE-2023-36439, RCE Vulnerability in Microsoft Exchange Server
• Change Healthcare Client
• JetBrains TeamCity: CVE-2023-42793, Authentication Bypass in JetBrains TeamCity CI/CD Servers; CVE-2024-27198, Authentication Bypass Vulnerability [Tag Updated]
• ScreenConnect:CVE-2024-1709, Authentication Bypass Vulnerability
• Cisco ASA [Suspected]CVE-2020-3259, Information Disclosure Vulnerability
• Exchange Server:CVE-2024-21410,Privilege Elevation Vulnerability
• QNAP QTS:CVE-2023-47218, CVE-2023-50358, OS Command Injection Vulnerability
• Symantec MG [Suspected]:CVE-2024-23615, CVE-2024-23614, Buffer Overflow Vulnerability (Remote Code Execution)
• FortiOS SSL VPN [Suspected]:CVE-2024-22024, An Out-of-Bounds Write Vulnerability
• RoundCube [Suspected] :CVE-2023-43770, Stored-XSS Vulnerability [Updated]
• Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability
• Ivanti EPMM:CVE-2023-35082 [Updated], Authentication Bypass Vulnerability
• GoAnywhere [Suspected]:CVE-2024-0204, Authentication Bypass Vulnerability
• Redis RCE: CVE-2023-41056, Remote Code Execution Vulnerability

REFERENCES:

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
• https://github.com/pgadmin-org/pgadmin4/issues/7258