Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL

Поиск

Список

Период

Сортировка

От	Magnus Hagander
Тема	Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
Дата	10 января 2023 г. 18:07:17
Msg-id	CABUevEzmWBcpMr_VLqUyWSsuGcOmYX9y+hCptu9aJ+VfN2Ccrg@mail.gmail.com обсуждение исходный текст
Ответ на	Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL (Pavel Borisov <pashkin.elfe@gmail.com>)
Ответы	Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
Список	pgsql-bugs

Дерево обсуждения

On Tue, Jan 10, 2023 at 4:00 PM Pavel Borisov <pashkin.elfe@gmail.com> wrote:

On Tue, 10 Jan 2023 at 17:54, Jeffrey Walton <noloader@gmail.com> wrote:
>
> On Tue, Jan 10, 2023 at 9:46 AM Magnus Hagander <magnus@hagander.net> wrote:
> >
> > On Tue, Jan 10, 2023, 15:42 Jeffrey Walton <noloader@gmail.com> wrote:
> >>
> >> https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/
> >
> > I think the most impressive part in that article is that they found and linked to the postgresql 7 documentation...
>
> It looks like the article used an older version of the docs because
> the link is broken for the newer version. When following the link to
> the latest version of the docs, its results in a "Page not found".

The page simply doesn't exist, because the information is sperad out across multiple places. There is indeed a bug in that a link is generated to /current/ even if that page does not exist. But the information that's on there is also wildly out of date. This page was removed from the documentation in 2001, over 20 years ago. Linking to such obsolete pages in an article from 2023 doesn't exactly inspire confidence.

I wonder what was the vulnerability in Postgres that enabled "hackers"
to run malware? I've read the article and the linked ones and found no
causative link between Postgres and malware inside. Sorry, it seems
like baseless warnings, not a description of vulnerability. Maybe I
haven't got something?

There is no vulnerability in postgres. They are exploiting incorrectly *configured* postgres instances that allow unauthenticated users to log in as superuser, which by definition means the system is configured to allow arbitrary users to upload and run arbitrary code -- which they did. Similar to leaving the ssh port open to the world for a user with a default name and no password.

Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/

В списке pgsql-bugs по дате отправления:

Предыдущее

От: Pavel Borisov
Дата: 10 января 2023 г., 17:59:42
Сообщение: Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL

Следующее

От: Tom Lane
Дата: 10 января 2023 г., 18:09:54
Сообщение: Re: BUG #17740: Connecting postgresql 13 with different psql versions

Вход в личный кабинет

Восстановление пароля

Подтверждение аккаунта

Изменение пароля

Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL

Предыдущее

Следующее