Disputed PostgreSQL bug exploited in cryptomining botnet

A newly discovered Linux-based cryptocurrency mining botnet exploited a disputed remote code execution (RCE) vulnerability in PostgreSQL – first disclosed in 2018 and initially assigned CVE-2019-9193 – in order to compromise database servers and co-opt them into the mining network, researchers at Palo Alto Networks’ Unit 42 team say.

Dubbed PGMiner by the research team of Xiao Zhang, Yang Ji, Jim Fitzgerald, Yue Chen and Claud Xiao, the botnet is thought to be the first cryptomining botnet delivered via PostgreSQL ever to be detected. The team said it was notable that malicious actors had started to weaponise not just confirmed CVEs, but disputed ones.

PostgreSQL, one of the most widely-used open source relational database management systems for production environments, has previously stated that CVE-2019-9193 is “not a security vulnerability” and that it was likely filed in error.

CVE-2019-9193 centres on the copy to/from program function which could allow superusers and users in the “ph_execute_server_program” group to execute arbitrary code in the context of the database’s operating system user – this functionality is enabled by default and could be abused to run arbitrary operating system (OS) commands on Windows, Linux and macOs.

However, according to PostgreSQL, this is not an issue because the functionality is working as intended. By design, it says, there exists no security boundary between a database super user and the OS that the server runs on and as such, by design the PostgreSQL server may not run as an OS superuser.

“We encourage all users of PostgreSQL to follow the best practice that is to never grant superuser access to remote or otherwise untrusted users. This is a standard security operating procedure that is followed in system administration and extends to database administration as well,” the firm said at the time.

“The main argument against defining the feature as a vulnerability is that the feature itself does not impose a risk as long as the superuser privilege is not granted to remote or untrusted users and the access control and authentication system works well,” wrote the Unit 42 research team in a disclosure announcement.

They continued: “On the other side, security researchers worry that this feature indeed makes PostgreSQL a stepping stone for remote exploit and code execution directly on the server’s OS beyond the PostgreSQL software, if the attacker manages to own the superuser privilege by brute-forcing password or SQL injection.

“While this CVE is still being disputed, malware authors apparently have started to use it to stay under the detection radar by making the attack payload fileless.”

In any case, the botnet has been able to exploit the copy from program feature to download and launch coin mining scripts. Note it is not currently detected by VirusTotal because the mining pool to which it attempted to connect is no longer active.

The team said PGMiner had been able to remain unnoticed for some time by exploiting the disputed vulnerability, and if it was further developed it could potentially be highly disruptive as PostgreSQL is so widely used, and with additional effort, it could be used to target all major operating systems. Further details can be found online.

Users of Palo Alto’s next-generation firewall are already protected against PGMiner, while other PostgreSQL users can mitigate the issue by removing the “pg_execute_server_program” privilege from untrusted users. This will make the exploit impossible.