On Monday, Amazon Web Services (AWS) stated that it had patched a vulnerability in its Amazon Relational Database Service (RDS) that may expose internal credentials. Amazon RDS is a managed database service that supports various database engines, including AWS’s own database engine, Amazon Aurora, which supports MySQL and PostgreSQL.
The resolved security flaw was discovered in the Aurora PostgreSQL engine, notably in the third-party open-source PostgreSQL extension “log_fdw,” which allows users to read the database engine log and create foreign tables via the SQL interface. When looking for potential vulnerabilities in the Amazon Aurora engine, Lightspin researcher Gafnit Amiga observed that it was feasible to circumvent the log_fdw extension validation and access several system files, including files containing internal credentials.
According to AWS, the exposed credentials were “unique to their Aurora cluster,” meaning they couldn’t be used to threaten other customers or clusters. AWS also mentions that the log_fdw extension is pre-installed in Aurora PostgreSQL and Amazon RDS for PostgreSQL. The exposed credentials might be used by a privileged, authenticated user who was able to trigger the flaw to acquire elevated access to database resources.
“No cross-customer or cross-cluster access was possible; however, highly privileged local database users who could exercise this issue could potentially have gained additional access to data hosted in their cluster or read files within the operating system of the underlying host running their database,” explains AWS.
On December 9, 2021, the researcher notified Amazon of the vulnerability. The initial patch was delivered on December 14, but it took over three months to reach all customers. To fix the problem, the firm upgraded Aurora PostgreSQL and RDS for PostgreSQL, as well as deprecated several minor versions, making it impossible for users to create new instances with those versions.