Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL

On Tue, Jan 10, 2023 at 10:20 AM Pavel Borisov <pashkin.elfe@gmail.com> wrote:
> On Tue, 10 Jan 2023 at 18:07, Magnus Hagander <magnus@hagander.net> wrote:
> > [ ...]
> >> I wonder what was the vulnerability in Postgres that enabled "hackers"
> >> to run malware? I've read the article and the linked ones and found no
> >> causative link between Postgres and malware inside. Sorry, it seems
> >> like baseless warnings, not a description of vulnerability. Maybe I
> >> haven't got something?

From the article Pavel linked to (below), it looks like PostgreSQL may
suffer from CWE-521, Weak Password Requirements.

Well designed systems today reject weak and wounded passwords out of
the box. Users don't need to do something special to enjoy the
benefit.

Now if a user pulls out the foot gun and disables strong password
requirements, then the user created the misconfiguration and the user
is at fault. If the user did nothing out of the ordinary, then I would
look for a design flaw, like letting users use weak passwords in the
first place.

> > There is no vulnerability in postgres. They are exploiting incorrectly *configured* postgres instances that allow
unauthenticatedusers to log in as superuser, which by definition means the system is configured to allow arbitrary
usersto upload and run arbitrary code -- which they did. Similar to leaving the ssh port open to the world for a user
witha default name and no password. 
> >
> Oh, I see then. They edited pg_hba.conf (in the link
> https://www.bigbinary.com/blog/how-my-server-got-infected-with-a-crypto-mining-malware-and-how-I-fixed-it
> from the article by OP) but stopped short not describing how exactly.
> That's the clue. Thanks!

Jeff