CVE-2024-0985
📋 TL;DR
This PostgreSQL vulnerability allows an attacker who creates a materialized view to execute arbitrary SQL functions with the privileges of the user who runs REFRESH MATERIALIZED VIEW CONCURRENTLY. The attacker can lure a superuser or role member into refreshing their malicious view, enabling privilege escalation. Affected users include PostgreSQL administrators and users with refresh privileges on attacker-controlled views.
💻 Affected Systems
- PostgreSQL
📦 What is this software?
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise: attacker gains superuser privileges, can read/modify/delete all data, create backdoors, and potentially execute operating system commands via PostgreSQL extensions.
Likely Case
Privilege escalation leading to unauthorized data access, data modification, or creation of persistent backdoors within the database.
If Mitigated
Limited impact if only non-privileged users refresh views, but still potential for data exposure within their access scope.
🎯 Exploit Status
Exploit requires attacker to create malicious materialized view and social engineer victim into refreshing it. Technical details and proof-of-concept are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PostgreSQL 16.2, 15.6, 14.11, 13.14, or 12.18
Vendor Advisory: https://www.postgresql.org/support/security/CVE-2024-0985/
Restart Required: Yes
Instructions:
1. Backup your PostgreSQL database
2. Stop PostgreSQL service
3. Upgrade to patched version using your distribution's package manager
4. Restart PostgreSQL service
5. Verify version with 'SELECT version();'
🔧 Temporary Workarounds
Restrict CREATE privileges
allLimit CREATE privilege on schemas to trusted users only to prevent attackers from creating malicious materialized views.
REVOKE CREATE ON SCHEMA schema_name FROM untrusted_user;
Restrict REFRESH privileges
allLimit REFRESH MATERIALIZED VIEW privileges to trusted administrators only.
REVOKE ALL ON MATERIALIZED VIEW view_name FROM untrusted_user;
🧯 If You Can't Patch
- Implement strict access controls: only allow trusted administrators to refresh materialized views and create objects in schemas.
- Monitor for suspicious REFRESH MATERIALIZED VIEW CONCURRENTLY commands, especially from non-administrative users or on unfamiliar views.
🔍 How to Verify
Check if Vulnerable:
Run 'SELECT version();' in PostgreSQL and compare against affected versions. If version is before 16.2, 15.6, 14.11, 13.14, or 12.18, system is vulnerable.Check Version:
SELECT version();Verify Fix Applied:
Run 'SELECT version();' and confirm version is 16.2, 15.6, 14.11, 13.14, 12.18 or later.📡 Detection & Monitoring
Log Indicators:
- REFRESH MATERIALIZED VIEW CONCURRENTLY commands on unfamiliar or recently created views
- Multiple failed refresh attempts followed by successful privileged operations
Network Indicators:
- Unusual database connections preceding REFRESH commands
- Pattern of view creation followed by refresh requests
SIEM Query:
source="postgresql.log" AND "REFRESH MATERIALIZED VIEW CONCURRENTLY" | stats count by user, view_name🔗 References
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://security.netapp.com/advisory/ntap-20241220-0005/
- https://www.postgresql.org/support/security/CVE-2024-0985/
