CVE-2021-38140
📋 TL;DR
CVE-2021-38140 is a privilege escalation vulnerability in the set_user extension for PostgreSQL. It allows authenticated database users to escalate privileges using RESET SESSION AUTHORIZATION after set_user(), potentially gaining superuser access. This affects PostgreSQL installations using the set_user extension before version 2.0.1.
💻 Affected Systems
- PostgreSQL set_user extension
📦 What is this software?
Set User by Set User Project
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains full superuser privileges on the PostgreSQL database, allowing complete control over all data, ability to execute arbitrary code, and potential lateral movement to the underlying operating system.
Likely Case
Privileged database users escalate to superuser privileges, enabling data theft, modification, or destruction across all databases on the instance.
If Mitigated
With proper access controls and network segmentation, impact is limited to the compromised database instance without lateral movement to other systems.
🎯 Exploit Status
Exploitation requires authenticated database access. The vulnerability is well-documented in the patch commits and security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.1
Vendor Advisory: https://github.com/pgaudit/set_user/releases/tag/REL2_0_1
Restart Required: Yes
Instructions:
1. Download set_user extension version 2.0.1 or later from GitHub. 2. Replace existing set_user files with new version. 3. Recompile and reinstall the extension. 4. Restart PostgreSQL service. 5. Verify the extension loads correctly.
🔧 Temporary Workarounds
Disable set_user extension
allRemove or disable the vulnerable set_user extension from PostgreSQL
DROP EXTENSION IF EXISTS set_user;
ALTER DATABASE database_name SET session_preload_libraries = '';
Restrict user privileges
allLimit which users can execute set_user functions
REVOKE EXECUTE ON FUNCTION set_user(text) FROM PUBLIC;
REVOKE EXECUTE ON FUNCTION set_user(text, text) FROM PUBLIC;
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PostgreSQL instances
- Enforce principle of least privilege for all database users and applications
🔍 How to Verify
Check if Vulnerable:
Check set_user extension version: SELECT * FROM pg_available_extensions WHERE name = 'set_user';Check Version:
SELECT extversion FROM pg_extension WHERE extname = 'set_user';Verify Fix Applied:
Verify set_user version is 2.0.1 or later: SELECT extversion FROM pg_extension WHERE extname = 'set_user';📡 Detection & Monitoring
Log Indicators:
- Multiple RESET SESSION AUTHORIZATION commands in quick succession
- Unexpected privilege escalation attempts
- set_user function calls followed by RESET commands
Network Indicators:
- Unusual database connection patterns from authenticated users
- Multiple privilege change requests in short timeframes
SIEM Query:
source="postgresql" AND ("RESET SESSION AUTHORIZATION" OR "set_user") | stats count by user, src_ip