Home Critical engine RDS and Aurora PostgreSQL Vulnerability Leads AWS to Deprecate Many Minor Versions

RDS and Aurora PostgreSQL Vulnerability Leads AWS to Deprecate Many Minor Versions


A researcher from security firm Lightspin recently explained how she obtained credentials for an internal AWS service using a PostgreSQL extension and exploiting a local file reading vulnerability on RDS. AWS has confirmed the issue and deprecated dozens of minor releases of Amazon Aurora and RDS for PostgreSQL.

According to Amazon, database users with sufficient permissions could use these credentials to gain elevated access to resources associated with the database cluster from which they were obtained and could not be used to gain access. to internal RDS services or move between databases or AWS accounts.

Gafnit AmigaDirector of Security Research at Lightspin, writes how she got credentials for an internal service Grover using a PostgreSQL extension, bypassing the log_fdw extension validation:

The log_fdw extension allows the user to access the database engine log using a SQL interface (…) I spent some time going through the system files until I find an interesting argument in the PostgreSQL configuration file which was not shown using psql(….) the apg_storage_conf_file which points to another configuration file with the name Grover_volume.conf (…) file content points to another file csd-grover-credentials.json.

This file allows Amiga to retrieve temporary Identity and Access Management (IAM) credentials, including a Public key and Private key that she could test and confirm that she is connected to an internal role called csd-grover-role. Amiga concludes:

Going through three different files, I was able to discover and access an internal AWS service. This is where my analysis and research ended. I haven’t attempted to enumerate IAM permissions or move laterally through the internal AWS environment.

Source: https://blog.lightspin.io/aws-rds-critical-security-vulnerability

According to the security firm, the vulnerability was reported to AWS on December 9, more than four months ago, when the RDS team began working on investigation and remediation. AWS rolled out an initial patch to the latest versions of Aurora and RDS on December 14, excluding older versions, and began contacting affected customers. In a safety bulletin published on April 13, the cloud provider claims:

AWS responded immediately to fix this issue when it was reported. As part of our mitigation, we updated Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL to prevent this issue. We have also deprecated minor releases Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL (…)

AWS review did not initially mention Lightspin and lack of attribution raised again questions in the community. The announcement does not specify what the internal service Grover is and how it works. Amiga confirms:

As for Grover, AWS is unable to disclose any internal service details.

Scott Piper, a cloud security consultant who maintains a repository of Cloud Service Provider Security Errors, tweet on the latest Lightspin findings:

Adding the latest Lightspin RDS issue to the “cloud service provider security errors”, I realized that Amiga found the RDS issue a week after finding the Sagemaker issue! How many hits do you still have online?

It is no longer possible to create an Aurora PostgreSQL or RDS for PostgreSQL instance with one of the following deprecated minor versions:

Aurora PostgreSQL

  • 10.11, 10.12, 10.13
  • 11.6, 11.7, 11.8

RDS for PostgreSQL

  • 13.2, 13.1
  • 12.6, 12.5, 12.4, 12.3, 12.2
  • 11.11, 11.10, 11.9, 11.8, 11.7, 11.6, 11.5, 11.5, 11.4, 11.3, 11.2, 11.1
  • 10.16, 10.15, 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.7, 10.6, 10.5, 10.4, 10.3, 10.1
  • 9.6.21, 9.6.20, 9.6.19, 9.6.18, 9.6.17, 9.6.16, 9.6.15, 9.6.14, 9.6.12, 9.6.11, 9.6.10, 9.6.9, 9.6. 8, 9.6.6, 9.6.5, 9.6.3, 9.6.2, 9.6.1
  • 9.5, 9.4 and 9.3