CVE-2023-41119
📋 TL;DR
This vulnerability in EnterpriseDB Postgres Advanced Server allows authenticated database users to escalate their privileges to superuser level by exploiting the _dbms_aq_move_to_exception_queue function. It affects all EPAS versions before specific patched releases across multiple major versions. Attackers can gain full database control and potentially compromise the entire database system.
💻 Affected Systems
- EnterpriseDB Postgres Advanced Server (EPAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise with superuser access leading to data theft, data destruction, and potential lateral movement to connected systems.
Likely Case
Privilege escalation allowing attackers to bypass access controls, modify data, and execute arbitrary SQL commands as superuser.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect privilege escalation attempts.
🎯 Exploit Status
Exploitation requires authenticated database access but is straightforward once authenticated. The vulnerability details are publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPAS 11.21.32, 12.16.20, 13.12.16, 14.9.0, 15.4.0 or later
Vendor Advisory: https://www.enterprisedb.com/docs/security/advisories/cve202341119/
Restart Required: Yes
Instructions:
1. Download the appropriate patched version from EnterpriseDB. 2. Backup your database. 3. Stop the EPAS service. 4. Apply the patch or upgrade to the fixed version. 5. Restart the EPAS service. 6. Verify the patch is applied.
🔧 Temporary Workarounds
Revoke function access
allRemove execute permissions from the vulnerable function for non-superuser accounts
REVOKE EXECUTE ON FUNCTION _dbms_aq_move_to_exception_queue FROM PUBLIC;
REVOKE EXECUTE ON FUNCTION _dbms_aq_move_to_exception_queue FROM [specific_users];
Disable Advanced Queuing extension
allRemove or disable the Advanced Queuing extension if not required
DROP EXTENSION IF EXISTS dbms_aq;
🧯 If You Can't Patch
- Implement strict network access controls to limit database connections to trusted sources only
- Enforce principle of least privilege for all database accounts and regularly audit user permissions
🔍 How to Verify
Check if Vulnerable:
Check EPAS version: SELECT version(); and compare against affected versions. Also check if function exists: SELECT proname FROM pg_proc WHERE proname = '_dbms_aq_move_to_exception_queue';Check Version:
SELECT version();Verify Fix Applied:
Verify version is patched: SELECT version(); should show 11.21.32+, 12.16.20+, 13.12.16+, 14.9.0+, or 15.4.0+. Test function execution as non-superuser should fail.📡 Detection & Monitoring
Log Indicators:
- Failed or successful attempts to execute _dbms_aq_move_to_exception_queue function by non-superusers
- Unexpected privilege escalation events
- Suspicious DML operations from non-privileged accounts
Network Indicators:
- Unusual database connection patterns or authentication attempts
SIEM Query:
source="postgresql.log" AND (_dbms_aq_move_to_exception_queue OR "privilege escalation" OR "superuser" from non-admin account)