Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL

Поиск
Список
Период
Сортировка
От Magnus Hagander
Тема Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
Дата
Msg-id CABUevEzq6uv39wUyu=zBW6NezXvm25U3R4i9W5+_g28KWWqT7w@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL  (Jeffrey Walton <noloader@gmail.com>)
Ответы Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
Список pgsql-bugs
Дерево обсуждения


On Tue, Jan 10, 2023 at 4:38 PM Jeffrey Walton <noloader@gmail.com> wrote:
On Tue, Jan 10, 2023 at 10:20 AM Pavel Borisov <pashkin.elfe@gmail.com> wrote:
> On Tue, 10 Jan 2023 at 18:07, Magnus Hagander <magnus@hagander.net> wrote:
> > [ ...]
> >> I wonder what was the vulnerability in Postgres that enabled "hackers"
> >> to run malware? I've read the article and the linked ones and found no
> >> causative link between Postgres and malware inside. Sorry, it seems
> >> like baseless warnings, not a description of vulnerability. Maybe I
> >> haven't got something?

From the article Pavel linked to (below), it looks like PostgreSQL may
suffer from CWE-521, Weak Password Requirements.
Well designed systems today reject weak and wounded passwords out of
the box. Users don't need to do something special to enjoy the
benefit.

The default PostgreSQL installation on most platforms doesn't even allow password based logins. And it doesn't allow connections across the network at all. And it most definitely doesn't assign any weak default passwords.


Now if a user pulls out the foot gun and disables strong password
requirements, then the user created the misconfiguration and the user
is at fault. If the user did nothing out of the ordinary, then I would
look for a design flaw, like letting users use weak passwords in the
first place.

The reference in the first article is to "trust" authentication, which is even worse than that -- it is explicitly asking postgres to "turn off all authentication".

The second article doesn't actually contain anything more than a guess that maybe the password was weak. But the core problem there more seems to be to expose the postgres port to the public with no restrictions at all - one should *never* do that with the database port, regardless of database. It is correct that postgres does not itself have any defence against a brute force attack if you use the built-in password auth (if you use an integrated authentication method, that of course depends on the method it's being integrated with, but for simple passwords it doesn't).

--

В списке pgsql-bugs по дате отправления:

Предыдущее
От: Jeffrey Walton
Дата:
Сообщение: Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
Следующее
От: Jeffrey Walton
Дата:
Сообщение: Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL