Authenticated RCE via Patroni HTTP REST API #1734
Comments
|
I will disappoint you, but you haven't discovered anything new. First of all it is possible to protect the REST API with basic auth and/or tls, optionally check client key: https://patroni.readthedocs.io/en/latest/SETTINGS.html#rest-api. This "vulnerability" is more or less the same as using COPY TO PROGRAM when you have postgres credentials. And maybe a few words about why basic auth is not enabled by default:
|
|
Thanks for the quick and so useful response, @CyberDem0n ! Well, you didn't disappoint me. I found no mentions about this ability before my research - if it is so obvious as COPY TO PROGRAM, why I could not find any publications about this 'feature'? So, I think it is still useful :) Authentication is Ok (and I agree with your words about default passwords) but seems like people neglect reading documentation and prefer to use ymls you provide by default. This is my own experience and I don't really think everyone has their HTTP API without auth. Just to note. And thanks for mentioning the Security Considerations page - I am in touch with its author. Of course, I read it before submitting the issue. Could you please tell me more about the precedence of local configs over global configuration? Do you mean that this is enough to set 'archive_command' in yml to mitigate this technique? |
|
It is enough to put the following in the config.yam: postgresql:
parameters:
archive_mode: on
archive_command: ...The same applies to restore_command and archive_cleanup_command. In order to change the global configuration one don't even need to use the rest api, writing directly to the config key in DCS will produce exactly the same effect. |
|
Yep, this one, I know :) Ok, to summarize. You don't consider this RCE as vulnerability (1), but if we want to protect ourselves from this 'feature', we could predefine secure *_command parameters in ymls (2). Is that correct? Finally, should we mention such details as sudden RCE somewhere in documentation? At least, COPY FROM is documented and explained, and some security boundaries exist to prevent malicious use. Thanks for answers, @CyberDem0n ! |
|
Both correct. |
|
You prevented me from opening the new issue :D With your permission, I will list here my last thoughts. If you don't agree, I think you could just close this issue, because no consensus (ha-ha, such a nice word for HA solution security discussion!) is possible. Let's start from the beginning. We have the Authenticated RCE, which potentially allows a remote attacker to compromise all cluster members. If we don't consider this as 'vulnerability', let's compare this 'feature' with PostgreSQL's 'COPY FROM PROGRAM' you mentioned here before. Which functions are used for RCE?
Is this a regular functionality?
What is the possible impact of RCE?
Who knows about potential malicious use?
Could we prevent RCE with user policies?
Could we manage authenticated access on the network level?
To summarize, what do affected products offer to mitigate possible security issues?
So, where PostgreSQL with their 'controversial' COPY command offers the community many ways to prevent possible malicious use and minimize the possible impact with well-defined and documented security boundaries (and that is why COPY FROM PROGRAM 'feature' is not considered as a vulnerability), Patroni offers nothing, but hardcoding insecure values in config files and keeps their users uninformed about the problem and solution. I understand that this is a very hard question to consider this behavior as vulnerability or not, that's why I will not interfere if you decide to close this issue. But I think that it would be the right thing to inform your users about possible security troubles at least, or - I don't hope on that - make your software much secured by default. Thanks! |
|
In postgres the superuser is allowed to do anything. It doesn't need to have In Patroni there is no need to have flexible roles system. There is simply no demand for allowing certain users to have more permissions than others. Yes, Patroni allows changing postgres config file on all nodes, but it also allows to have REST API protected. Without having credentials you can't do anything. This is very similar to having superuser credentials in postgres. The minor difference is pg_hba.conf, which limits access on the network level. It is not hard to implement something similar in Patroni and by default reject access to non-GET endpoints. In any case I really appreciate the work you have done. Your points about documentation are absolutely fair, it could be improved, but I am not a good writer and also can't dedicate 100% of my time to support and develop Patroni. |
|
Thanks for the answer.
I don't deny that PostgreSQL superuser has necessary privileges as well I don't deny that there are ways to grant other users enough privileges to execute OS commands via specially crafted queries. I just note that PostgreSQL offers some security boundaries to make such conditions more secure. I mean user policy, mostly.
The word "Authenticated" I used in "Authenticated RCE" means that attacker needs to be authenticated before code execution. How can you see, I don't state that there is any way to execute code without authentication.
Sounds good. I would offer you any help with such a good initiative, but I am afraid that I could break down the whole application with my dirty hands :)
Thanks for the nice words! |
|
Any contributions are always welcome! |
|
Good! So then let's keep this issue opened before I make a proper pull request. Thanks! |
If configured, only IPs that matching rules would be allowed to call unsafe endpoints. In addtition to that it is possible to automatically include IPs of members of the cluster to the list. If neither of the above is configured the old behavior is retained. Partially address #1734
If configured, only IPs that matching rules would be allowed to call unsafe endpoints. In addition to that, it is possible to automatically include IPs of members of the cluster to the list. If neither of the above is configured the old behavior is retained. Partially address #1734
|
здравствуйте не подскажите как работает kerberos Postgres в кластере с patroni и будет ли обращение к базе работать через haproxy |
Hello,
Seems like there is a way to compromise Patroni nodes with RCE in HTTP REST API. I placed a short write-up in my blog, you will find it here: https://illegalbytes.com/2020-10-14/patroni-remote-code-execution/
Changing the PostgreSQL configuration file with PATCH requests to Patroni HTTP API allows a remote authenticated* attacker to execute arbitrary OS commands. I placed the asterisk near the word 'authenticated' because most of the Patroni clusters I have met in my everyday work had no authentication enabled at least at one node, which potentially makes the whole cluster vulnerable to RCE.
This is only my thoughts, and I haven't checked this yet, but even if you have HTTP REST API authentication enabled on each node, this is still possible to compromise all cluster nodes if you have valid credentials at least for one of them.
I don't have enough experience with Patroni, so, I hope you will help me to determine the possible impact and - which is more important - mitigation.
Thanks!
The text was updated successfully, but these errors were encountered: