![]() ![]() ![]() It is not anymore possible to create an Aurora PostgreSQL or RDS for PostgreSQL instance with one of the following deprecated minor versions: In adding Lightspin's latest RDS issue to 'Cloud Service Provider security mistakes' I realized Amiga found the RDS issue one week after they found the Sagemaker issue! How many more hits do you have lined up? Creating a Postgres change listener The instructions of starting to follow WAL are simple: Enable Logical replication on your Postgres Create a replication slot Optionally add wal2jsonto receive. Scott Piper, a cloud security consultant who maintains a repository of Cloud Service Provider security mistakes, tweets on the latest discoveries by Lightspin: I used these steps to make the upgrade using the AWS Console: Create snapshot of target database to upgrade Restore snapshot Upgrade the restored snapshot's (which is now a new instance) DB Engine version. Amiga confirms:Īs for Grover, AWS are not able to disclose details about the internal service. I just finished upgrading my AWS RDS database engine from 9.6.22 to 10.17. The announcement does not clarify what the internal service Grover is and how it works. The AWS advisory did not initially mention Lightspin and the lack of attribution raised further questions in the community. We have also deprecated the Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL minor versions (.) As part of our mitigation, we have updated Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL to prevent this issue. In a security bulletin released on April 13th, the cloud provider claims:ĪWS moved immediately to address this issue when it was reported. AWS deployed an initial patch on the latest Aurora and RDS versions on December 14th, excluding older versions, and started to reach out to affected customers. I did not attempt to enumerate any IAM permissions or move further laterally into AWS' internal environment.Īccording to the security company, the vulnerability was reported to AWS on December 9th, more than four months ago, when the RDS team began working on investigation and remediation. This is where my analysis and research ended. Within transiting three different files I was able to discover an internal AWS service and gain access to it. This file let Amiga retrieve the temporary identity and access management (IAM) credentials, including a publicKey and privateKey that she could test and confirm being connected to an internal role called csd-grover-role. conf (.) the file content points to another file csd-grover-credentials.json. The log_fdw extension enables the user to access the database engine log using a SQL interface (.) I spent some time going over system files until I found an interesting argument in the PostgreSQL config file that was not shown through using psql (.) the apg_storage_conf_file which points to another configuration file with the name grover_volume. Gafnit Amiga, director of security research at Lightspin, writes how she obtained credentials to an internal service Grover using a PostgreSQL extension, bypassing the log_fdw extension validation: AWS confirmed the issue and deprecated dozens of minor versions of Amazon Aurora and RDS for PostgreSQL.Īccording to Amazon, database users with sufficient permissions could use these credentials to gain elevated access to resources associated with the database cluster from which they were obtained and could not be used to access internal RDS services or move between databases or AWS accounts. Please click here to view this show’s transcript.A researcher at the security company Lightspin recently explained how she obtained credentials to an internal AWS service using a PostgreSQL extension and exploiting a local file read vulnerability on RDS. Thanks to We Edit Podcasts for partnering with SE Daily. Software Engineering Daily listeners can go to to get 15% off the first three months of audio editing and transcription services with code: SED. We discuss how Neon scales Postgres, how it saves cost and the engineering that makes it possible. ![]() Today, we spoke with Nikita Shamgunov of Neon. It separates storage and compute and substitutes the PostgreSQL storage layer by redistributing data across a cluster of nodes. ![]() Neon is a serverless open-source alternative to AWS Aurora Postgres. Postgres-based databases are widespread and are used by a variety of organizations, from Reddit to the International Space Station, and Postgres databases are a common offering from cloud providers such as AWS, Alibaba Cloud, and Heroku. PostgreSQL is a free and open-source relational database management system. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |