Is Red Hat Satellite 6 vulnerable to PostgreSQL Pass­The­Hash protocol design weakness ?

Resolution

• This is a known PostgreSQL weakness affecting versions prior to 10.

• Original reporters for this vulnerability explained PostgreSQL Pass­The­Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or hash of a user's password, instead of requiring the associated plaintext password as is normally the case.

• But the PostgreSQL security team rejected assigning CVE in Feb 2015 and later the security team explained why this issue wasn't worthy to fix.

  • Reasoning explains that the attacker needs the knowledge of the hash prior to use this attack (either by having already access to the authentication database, or by sniffing unencrypted PostgreSQL network traffic that contains the hash). Which means that to be protected, the administrator needs to ensure that basic security best practices are followed, including:
    • The PostgreSQL server is sufficiently protected so that an attacker does not have access to the authentication database that contains the hashes
    • The PostgreSQL network traffic is not plaintext in the portion of the network that could be sniffed (e.g.: enforcing SSL encrypted connection only)
• When using Embedded PostgreSQL in Satellite 6, the authentication should be restricted to localhost so that only services that can access PostgreSQL are processes local to the Satellite itself. This can be verified on the Satellite's Postgres authentication configuration file /var/lib/pgsql/data/pg_hba.conf

Note: Pass­The­Hash protocol design weakness is not related to recently published CVE-2020-14349 and CVE-2020-14350