ZDI-11-102: PostgreSQL Plus Advanced Server DBA Management Server Remote Authentication Bypass Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-102

March 2, 2011

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Postgres

-- Affected Products:
Postgres Plus SQL 


-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Postgres Plus Advanced Server DBA Management
Server. Authentication is not required to exploit this vulnerability. 

The flaw exists within the DBA Management Server component which listens
by default on TCP ports 9000 and 9363. When handling client
authentication the server does not properly enforce restrictions on
accessing the jmx-console or web-console directly. These consoles allow
arbitrary instantiation of classes. A remote attacker can exploit this
vulnerability to execute arbitrary code under the context of the
server.


-- Vendor Response:
Postgres states:

SUBJECT: EnterpriseDB Technical Alert for Postgres Plus Advanced Server
(DBA Management Server - Build 39) #20110209.01

TECHNICAL ALERT STATUS
========================

Status: Critical

Critical - this update fixes a potential security threat, a possible
data corruption, calculation, search set, or other function that may
lead to inaccurate results. The update should be applied at the earliest
possible time as it may affect a large number of users.

Recommended - this update fixes non-critical issues that may impede
general usage and require undesirable work-arounds affecting a limited
number of users. The update is recommended to be applied when
convenient.

Informational - this update is informational only for non-critical
issues. No software update or patch needs to be applied and issues may
be addressed in the field using the specified version currently
installed.

WHAT IS IN THIS ALERT
=====================
This Technical Alert is notifying you of a software update that
addresses the DBA Management Server module shipped with Postgres Plus
Advanced Server v8.4 (8.4.x.x).

The software update contains the fix for a vulnerability that allows
remote attackers to execute arbitrary code on vulnerable installations
of Postgres Plus Advanced Server v8.4 DBA Management Server. The flaw
existed due to a management feature in JBoss - the application server
used by DBA Management Server. The default JBoss configuration does not
properly enforce restrictions on accessing the jmx-console or
web-console directly, when handling client authentication to the server.
These consoles allow arbitrary instantiation of classes. A remote
attacker can exploit this vulnerability to execute arbitrary code under
the context of the server.

JBoss provides a mechanism to restrict access to these resources, which
has been used to fix this vulnerability.

This update only updates the DBA Management Server files (Build 39). The
core database server engine version remains unchanged.

ACKNOWLEDGEMENT
===================
Discovery of this vulnerability is credited to AbdulAziz Hariri and
TippingPoints Zero Day Initiative.

IS THIS ALERT FOR ME?
====================
This alert is for customers using:

- Postgres Plus Advanced Server version: 8.4.x.x
- DBA Management Server

HOW TO GET THE UPDATE AND APPLY IT
==================================

This update is available through the Postgres Plus Advanced Server -
StackBuilder Plus Module only.

Please perform the following steps in order to update your DBA
Management Server for Postgres Plus Advanced Server. It is recommended
that you backup your files before performing the upgrade.

1. Right-Click on the System tray icon (PostgreSQL Elephant) and select
'Install Updates'.
OR
Run StackBuilder Plus directly from the Application Menu. The update
will automatically be selected and displayed in bold.

2. Click Next and choose the download directory (where the update will
be downloaded).

3. The installation program will start once the download is complete.

HOW TO RESTORE THE ORIGINAL VERSION
===================================

In order to restore to the original version, run the PPAS 8.4 SP1
(8.4.5.18) meta-installer and select only the DBA Management Server in
the component selection screen. This will restore the component to
Build38.

TROUBLESHOOTING
=================

If you experience any problems applying the upgrade or restoring the old
version after applying the upgrade, please contact Technical Support
at:

Email: support@enterprisedb.com
Phone: +1-732-331-1320 or 1-800-235-5891 (US Only)
Submit a Support ticket at:
http://www.enterprisedb.com/products/support/overview

-- Disclosure Timeline:
2011-01-04 - Vulnerability reported to vendor
2011-03-02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * AbdulAziz Hariri

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

    http://twitter.com/thezdi