Rusty Pearl: Remote Code Execution Vulnerability in PostgreSQL Explained

Understanding Rusty Pearl Vulnerability

• 💡 The "Rusty Pearl" vulnerability is named after the two language extensions it exploits in PostgreSQL: Rust and Pearl.
• 🎯 This flaw allows attackers to execute arbitrary commands on the operating system hosting the database server.
• ⚠️ Potential impacts include data theft, data destruction, and lateral movement across networks.

Discovery and Exploitation Path

• 🔍 The research began with an investigation into securing ticketing systems and searching for vulnerabilities in less-explored areas.
• 🔑 A SQL injection in a ticketing system led to exploring the impact of an attacker with only database access.
• 🚀 The goal was to escalate privileges from an administrative user to a super user or find a way to run commands on the underlying system.

Exploiting PostgreSQL Extensions

• 🧩 Third-party extensions in PostgreSQL were identified as a less rigorously tested area compared to the core database.
• ⚙️ The vulnerability was found by manipulating environment variables through the Pearl language extension's interface.
• 🔗 This primitive was then combined with the PL/Rust extension, which directly creates processes without using PostgreSQL's standard API, enabling code execution.

Cloud Provider Protections and Shared Responsibility

• 🛡️ While the vulnerability exists in PostgreSQL, Amazon RDS and Aurora were not affected due to built-in protections like SELinux and AWS's threat detection.
• 🤝 AWS demonstrated a responsive approach, blocking access, and collaborating with Varonis to ensure the PostgreSQL team addressed the issue.
• ☁️ The research highlights the shared responsibility model in cloud environments, where customers must manage their data and security controls even when the infrastructure is managed by the provider.

Recommendations for Users

• 🔧 Upgrade PostgreSQL to the latest minor versions whenever possible.
• 🔑 Implement role-based access controls to limit who can create extensions and access specific databases or tables.
• 🚫 Utilize the allowed_extensions configuration variable to restrict the installation of only necessary and trusted extensions.
• 🔒 Secure cloud credentials carefully to prevent a database compromise from leading to a full cloud environment compromise.