CVE-2023-32305 Overview
CVE-2023-32305 is a privilege escalation vulnerability affecting the aiven-extras PostgreSQL extension. Versions prior to 1.1.9 contain a critical flaw that allows low-privileged users to escalate their privileges to superuser within PostgreSQL databases utilizing the aiven-extras package. The vulnerability exploits missing schema qualifiers on privileged functions called by the extension, enabling attackers to create malicious objects that collide with existing function names and execute arbitrary code with elevated privileges.
Critical Impact
Successful exploitation allows a low-privileged database user to acquire superuser privileges, granting full unrestricted access to all data and database functions. This could lead to arbitrary code execution or data access on the underlying host as the postgres user.
Affected Products
- aiven-extras PostgreSQL extension versions prior to 1.1.9
- PostgreSQL databases utilizing the vulnerable aiven-extras package
- Aiven managed database services using affected extension versions
Discovery Timeline
- May 12, 2023 - CVE-2023-32305 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-32305
Vulnerability Analysis
This privilege escalation vulnerability stems from improper input validation (CWE-20) in how the aiven-extras extension handles function calls. The extension fails to use fully qualified schema names when invoking built-in PostgreSQL functions, creating a search path hijacking opportunity.
When the extension executes functions like array_length() without the pg_catalog. schema prefix, PostgreSQL's function resolution mechanism searches through the schema search path in order. An attacker with the ability to create objects in a schema that appears earlier in the search path than pg_catalog can create a malicious function with the same name. When the extension subsequently calls the unqualified function, the attacker's malicious implementation executes instead, running with the extension's elevated privileges.
The attack is network-accessible and requires only low-level database privileges, with no user interaction needed. Successful exploitation grants the attacker superuser access, compromising all aspects of database confidentiality, integrity, and availability.
Root Cause
The root cause is missing schema qualifiers on privileged function calls within the aiven-extras extension. PostgreSQL functions should be called with explicit schema prefixes (e.g., pg_catalog.array_length()) to prevent search path manipulation attacks. Without these qualifiers, the database engine follows the configured search_path to resolve function names, which can be exploited by creating shadow functions in schemas the attacker controls.
Attack Vector
The attack vector involves a low-privileged database user creating malicious functions that shadow legitimate PostgreSQL catalog functions. The attacker:
- Creates a schema or uses an existing schema that appears before pg_catalog in the search path
- Creates a function with the same name and signature as a function called by aiven-extras (e.g., array_length)
- The malicious function contains code to escalate privileges or execute arbitrary commands
- When aiven-extras executes the unqualified function call, the attacker's version runs with elevated privileges
The following patch demonstrates the fix applied in version 1.1.9, which adds explicit pg_catalog. schema qualifiers to function calls:
l_parsed_ident TEXT[];
l_parsed_arg_tables TEXT[];
BEGIN
- l_table_count = array_length(arg_tables, 1);
+ l_table_count = pg_catalog.array_length(arg_tables, 1);
IF l_table_count >= 1
THEN
l_parsed_arg_tables = ARRAY[]::TEXT[];
l_tables_command = 'CREATE PUBLICATION %I FOR TABLE ';
FOREACH l_ident IN ARRAY arg_tables LOOP
l_parsed_ident = parse_ident(l_ident);
- ASSERT array_length(l_parsed_ident, 1) <= 2, 'Only simple table names or tables qualified with schema names allowed';
+ ASSERT pg_catalog.array_length(l_parsed_ident, 1) <= 2, 'Only simple table names or tables qualified with schema names allowed';
-- Make sure we pass in a simple list of identifiers, so separate the tables from parent schemas
- IF array_length(l_parsed_ident, 1) = 2
+ IF pg_catalog.array_length(l_parsed_ident, 1) = 2
THEN
l_tables_command = l_tables_command || '%I.%I, ';
ELSE
Source: GitHub Commit 8682ae01bec0791708bf25791786d776e2fb0250
Detection Methods for CVE-2023-32305
Indicators of Compromise
- Unexpected functions created in user-accessible schemas with names matching PostgreSQL catalog functions (e.g., array_length, parse_ident)
- Unusual privilege grants or new superuser accounts in the database
- Database audit logs showing function creation followed by privilege escalation activities
- Changes to search_path settings for database users or roles
Detection Strategies
- Query pg_proc and pg_namespace to identify user-defined functions that shadow pg_catalog functions
- Monitor PostgreSQL logs for CREATE FUNCTION statements that match known catalog function names
- Implement database activity monitoring to detect unauthorized privilege escalation
- Use security scanning tools to identify installed aiven-extras versions below 1.1.9
Monitoring Recommendations
- Enable detailed PostgreSQL logging including log_statement = 'ddl' to capture function creation events
- Configure alerts for new superuser role grants or unexpected privilege changes
- Regularly audit database schemas for suspicious function definitions
- Implement real-time monitoring of security-sensitive database operations
How to Mitigate CVE-2023-32305
Immediate Actions Required
- Upgrade aiven-extras to version 1.1.9 or later immediately
- Audit existing databases for any suspicious user-created functions that shadow catalog functions
- Review and restrict database user privileges to the minimum required
- Check for any unauthorized superuser accounts that may have been created through exploitation
Patch Information
The vulnerability has been patched in aiven-extras version 1.1.9. The fix adds explicit pg_catalog. schema qualifiers to all privileged function calls within the extension, preventing search path hijacking attacks. Organizations should update to the patched version as soon as possible.
For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory GHSA-7r4w-fw4h-67gp.
Workarounds
- Restrict user permissions to prevent creation of functions in schemas that could shadow pg_catalog
- Configure search_path to always prioritize pg_catalog first for all database users
- Revoke CREATE privileges on public and user-accessible schemas from untrusted users
- Consider temporarily disabling the aiven-extras extension until patching is complete
# Verify aiven-extras version
psql -c "SELECT * FROM pg_available_extensions WHERE name = 'aiven_extras';"
# Audit for suspicious functions shadowing pg_catalog
psql -c "SELECT n.nspname, p.proname FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid WHERE n.nspname NOT IN ('pg_catalog', 'information_schema') AND p.proname IN (SELECT proname FROM pg_proc WHERE pronamespace = 'pg_catalog'::regnamespace);"
# Restrict search_path for users
ALTER ROLE suspicious_user SET search_path = pg_catalog, public;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
