CVE-2020-14350 Overview
CVE-2020-14350 is a privilege escalation vulnerability affecting PostgreSQL database extensions. The vulnerability exists because certain PostgreSQL extensions did not safely handle the search_path setting in their installation scripts. An attacker with sufficient database privileges could exploit this flaw to trick an administrator into executing a specially crafted script during the installation or update of a vulnerable extension, potentially leading to unauthorized code execution with elevated privileges.
Critical Impact
Attackers can hijack extension installation processes to execute malicious code with administrator privileges, potentially compromising the entire PostgreSQL database server and underlying system.
Affected Products
- PostgreSQL versions before 12.4
- PostgreSQL versions before 11.9
- PostgreSQL versions before 10.14
- PostgreSQL versions before 9.6.19
- PostgreSQL versions before 9.5.23
- Debian Linux 9.0
- openSUSE Leap 15.1 and 15.2
- Ubuntu Linux 16.04 ESM, 18.04 LTS, and 20.04 LTS
Discovery Timeline
- August 24, 2020 - CVE-2020-14350 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-14350
Vulnerability Analysis
This vulnerability stems from improper handling of the search_path configuration parameter in PostgreSQL extension installation scripts. PostgreSQL uses search_path to determine the order in which schemas are searched when resolving unqualified object names. When extension scripts do not explicitly set or restrict the search_path, attackers can manipulate which objects get resolved during extension operations.
The attack requires the attacker to have privileges sufficient to create objects in a schema that appears in the default search_path before the pg_catalog schema. By creating malicious functions or other database objects with the same names as those expected by the extension script, the attacker can hijack the execution flow when an administrator installs or updates the extension.
Root Cause
The root cause is classified as CWE-426 (Untrusted Search Path). PostgreSQL extension installation scripts were not properly setting a secure search_path before executing SQL statements. This allowed objects from untrusted schemas to be resolved and executed instead of the intended system objects. The lack of explicit schema qualification in function calls and object references created an attack surface where user-controlled objects could be substituted for legitimate extension components.
Attack Vector
The attack vector is local, requiring the attacker to have an existing account with sufficient privileges on the target PostgreSQL database. The attack proceeds as follows:
- The attacker creates a malicious function or object in a schema that will be searched before the intended schema
- An administrator initiates the installation or update of a vulnerable extension
- The extension script executes SQL statements that reference unqualified object names
- PostgreSQL resolves these names using the compromised search_path, executing the attacker's malicious code
- The malicious code runs with the privileges of the administrator performing the installation
This vulnerability requires user interaction (the administrator must install or update an extension) and local access to the database with object creation privileges. When successfully exploited, it can result in complete compromise of confidentiality, integrity, and availability of the database system.
Detection Methods for CVE-2020-14350
Indicators of Compromise
- Unexpected functions or objects in user-accessible schemas that mirror names of common extension functions
- Unusual schema creation activity by non-administrative users prior to extension operations
- Audit logs showing execution of unexpected code during extension installation processes
- Database objects with suspicious definitions in schemas appearing early in the default search_path
Detection Strategies
- Monitor PostgreSQL logs for extension installation and update operations, correlating with any unusual object creation in preceding timeframes
- Implement database activity monitoring to detect creation of objects that shadow legitimate extension components
- Review audit logs for CREATE FUNCTION or CREATE OBJECT statements in public or user schemas that match known extension function names
- Deploy SentinelOne Singularity to detect anomalous process behavior on database servers during administrative operations
Monitoring Recommendations
- Enable detailed PostgreSQL logging including log_statement = 'all' to capture all SQL execution during extension operations
- Configure alerts for schema modifications in non-system schemas prior to planned extension maintenance windows
- Implement file integrity monitoring on PostgreSQL extension script directories to detect unauthorized modifications
- Use SentinelOne's behavioral AI to identify suspicious database server process activity that may indicate post-exploitation actions
How to Mitigate CVE-2020-14350
Immediate Actions Required
- Upgrade PostgreSQL to patched versions: 12.4, 11.9, 10.14, 9.6.19, or 9.5.23 or later
- Review and audit existing database schemas for suspicious objects that could hijack extension installations
- Restrict privileges for creating objects in schemas that appear in the default search_path
- Apply operating system patches from Debian, Ubuntu, and openSUSE as referenced in their security advisories
Patch Information
PostgreSQL has released patched versions addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- PostgreSQL 12.4 or later for 12.x installations
- PostgreSQL 11.9 or later for 11.x installations
- PostgreSQL 10.14 or later for 10.x installations
- PostgreSQL 9.6.19 or later for 9.6.x installations
- PostgreSQL 9.5.23 or later for 9.5.x installations
Distribution-specific patches are available via the Ubuntu Security Notice 4472-1, Debian LTS Security Announcement, Gentoo GLSA 202008-13, and various openSUSE Security Announcements. Additional details are available in the Red Hat Bug Report.
Workarounds
- Set search_path explicitly to pg_catalog, pg_temp before running any extension installation or update scripts
- Revoke CREATE privileges on the public schema from all non-administrative users
- Audit and remove any untrusted objects from schemas that appear in the default search_path before extension operations
- Consider running extension installations with a superuser account that has a restrictive search_path configured
# Secure search_path configuration for extension installation
# Add to postgresql.conf or run before extension operations
psql -U postgres -c "SET search_path TO pg_catalog, pg_temp;"
# Revoke CREATE privileges on public schema
psql -U postgres -c "REVOKE CREATE ON SCHEMA public FROM PUBLIC;"
# Verify current search_path setting
psql -U postgres -c "SHOW search_path;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
