CVE-2015-3167
📋 TL;DR
This vulnerability in PostgreSQL's pgcrypto extension leaks information through different error responses when incorrect encryption keys are used. Attackers can exploit this timing side-channel to perform brute-force attacks and potentially recover encryption keys. Affects PostgreSQL installations using pgcrypto with vulnerable versions.
💻 Affected Systems
- PostgreSQL
📦 What is this software?
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers recover encryption keys, decrypt sensitive data stored in PostgreSQL, and potentially access other systems using compromised credentials.
Likely Case
Attackers with database access perform offline brute-force attacks against encrypted data, potentially decrypting sensitive information over time.
If Mitigated
With network isolation and proper access controls, risk is limited to authenticated attackers with database access performing time-consuming attacks.
🎯 Exploit Status
Exploitation requires database access and ability to perform encryption operations. The timing attack is well-understood and could be automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PostgreSQL 9.0.20, 9.1.16, 9.2.11, 9.3.7, or 9.4.2
Vendor Advisory: http://www.postgresql.org/about/news/1587/
Restart Required: Yes
Instructions:
1. Backup your PostgreSQL database. 2. Stop PostgreSQL service. 3. Upgrade to patched version using your distribution's package manager. 4. Restart PostgreSQL service. 5. Verify pgcrypto functions correctly.
🔧 Temporary Workarounds
Disable pgcrypto extension
allRemove or disable the pgcrypto extension if not required
DROP EXTENSION pgcrypto;
Network isolation
allRestrict database access to trusted networks only
Configure pg_hba.conf to restrict connections
Use firewall rules to limit PostgreSQL port access
🧯 If You Can't Patch
- Implement strong authentication and limit database access to essential users only
- Monitor for unusual database activity and failed authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check PostgreSQL version: SELECT version(); and verify if using affected version with pgcrypto extensionCheck Version:
psql -c 'SELECT version();'Verify Fix Applied:
Verify PostgreSQL version is 9.0.20, 9.1.16, 9.2.11, 9.3.7, 9.4.2 or later📡 Detection & Monitoring
Log Indicators:
- Multiple failed encryption/decryption operations
- Unusual pgcrypto function usage patterns
Network Indicators:
- Repeated database connections with encryption operations
- Unusual timing patterns in database responses
SIEM Query:
source="postgresql" AND (message="*pgcrypto*" OR message="*encrypt*" OR message="*decrypt*") AND count > threshold🔗 References
- http://ubuntu.com/usn/usn-2621-1
- http://www.debian.org/security/2015/dsa-3269
- http://www.debian.org/security/2015/dsa-3270
- http://www.postgresql.org/about/news/1587/
- http://www.postgresql.org/docs/9.0/static/release-9-0-20.html
- http://www.postgresql.org/docs/9.1/static/release-9-1-16.html
- http://www.postgresql.org/docs/9.2/static/release-9-2-11.html
- http://www.postgresql.org/docs/9.3/static/release-9-3-7.html
- http://www.postgresql.org/docs/9.4/static/release-9-4-2.html
- http://ubuntu.com/usn/usn-2621-1
- http://www.debian.org/security/2015/dsa-3269
- http://www.debian.org/security/2015/dsa-3270
- http://www.postgresql.org/about/news/1587/
- http://www.postgresql.org/docs/9.0/static/release-9-0-20.html
- http://www.postgresql.org/docs/9.1/static/release-9-1-16.html
- http://www.postgresql.org/docs/9.2/static/release-9-2-11.html
- http://www.postgresql.org/docs/9.3/static/release-9-3-7.html
- http://www.postgresql.org/docs/9.4/static/release-9-4-2.html
