Login Sign Up

CVE-2021-41558

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-41558 is a critical vulnerability in the set_user extension for PostgreSQL that allows attackers to bypass ProcessUtility_hook security controls via the set_config function. This affects PostgreSQL databases using set_user extension versions before 3.0.0. Attackers could potentially execute arbitrary SQL commands with elevated privileges.

💻 Affected Systems

Products:
  • PostgreSQL set_user extension
Versions: All versions before 3.0.0
Operating Systems: All operating systems running PostgreSQL with set_user extension
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PostgreSQL installations where the set_user extension is installed and enabled.

📦 What is this software?

Set User by Set User Project

View all CVEs affecting Set User →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise allowing data theft, modification, or destruction, and potential privilege escalation to database superuser or operating system access.

🟠

Likely Case

Unauthorized data access, privilege escalation within the database, and bypass of security controls implemented through ProcessUtility_hook.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and additional security layers are in place.

🌐 Internet-Facing: HIGH - Internet-facing PostgreSQL instances with set_user extension are directly exploitable.
🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to bypass security controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires database access credentials, but the bypass technique is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0 and later

Vendor Advisory: https://github.com/pgaudit/set_user/releases/tag/REL3_0_0

Restart Required: Yes

Instructions:

1. Backup your database. 2. Download set_user extension version 3.0.0 or later from GitHub. 3. Replace the existing set_user extension files. 4. Restart PostgreSQL service. 5. Verify the extension version with 'SELECT * FROM pg_available_extensions WHERE name = 'set_user';'

🔧 Temporary Workarounds

Disable set_user extension

all

Temporarily disable the vulnerable extension until patching is possible

DROP EXTENSION IF EXISTS set_user;

Restrict database access

all

Limit database connections to only trusted sources and users

# Configure pg_hba.conf to restrict access
# Example: host all all 192.168.1.0/24 md5

🧯 If You Can't Patch

  • Implement strict network access controls to limit database connections
  • Apply principle of least privilege to all database user accounts

🔍 How to Verify

Check if Vulnerable:

Connect to PostgreSQL and run: SELECT * FROM pg_available_extensions WHERE name = 'set_user' AND installed_version < '3.0.0';

Check Version:

SELECT * FROM pg_available_extensions WHERE name = 'set_user';

Verify Fix Applied:

Run: SELECT * FROM pg_available_extensions WHERE name = 'set_user' AND installed_version >= '3.0.0';

📡 Detection & Monitoring

Log Indicators:

  • Unusual set_config function calls
  • Privilege escalation attempts
  • Unexpected ProcessUtility_hook bypass events

Network Indicators:

  • Unusual database connection patterns
  • SQL injection attempts targeting set_user functions

SIEM Query:

SELECT * FROM postgres_logs WHERE message LIKE '%set_user%' OR message LIKE '%set_config%' AND severity IN ('ERROR', 'FATAL')

📊 Metadata

CVE ID: CVE-2021-41558
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON