Can you explain this vulnerability to me?

This vulnerability is a SQL injection issue in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, specifically in the FilterEngine.create_postgres_query() function. It allows any authenticated Rucio user to execute arbitrary SQL commands against the PostgreSQL metadata database via the DID search endpoint.

The problem arises when the postgres_meta metadata plugin is configured. Attacker-controlled filter keys and values are directly inserted into raw SQL strings using Python's .format() method, which are then treated as trusted SQL syntax by psycopg3's sql.SQL() function. This improper handling enables SQL injection.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

Exploitation of this vulnerability can have severe impacts depending on the database privileges of the service account. An attacker could expose sensitive tables, modify or delete metadata, access server-side files, or even execute code on the server using PostgreSQL features such as COPY ... FROM PROGRAM.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The SQL injection vulnerability in Rucio allows attackers to execute arbitrary SQL commands, potentially exposing sensitive data such as password hashes, authentication tokens, user accounts, storage credentials, and data management policies.

Such exposure and unauthorized access to sensitive personal and organizational data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality, integrity, and availability of sensitive information.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to data breaches, unauthorized data access, and potential misuse of protected information.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and analyzing requests to the DID search API endpoint, specifically GET /dids/<scope>/dids/search, for suspicious or malformed filter parameters that could indicate SQL injection attempts.

Since the vulnerability involves attacker-controlled filter keys and values being interpolated into SQL queries, you can look for unusual or unexpected SQL syntax in logs or by capturing traffic.

Suggested commands include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests to the vulnerable endpoint, for example:

• tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep '/dids/'

Additionally, you can check application logs for suspicious queries or errors related to the postgres_meta plugin.

You may also attempt to test the endpoint with crafted filter parameters to see if arbitrary SQL execution is possible, but this should be done carefully in a controlled environment.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Rucio to one of the fixed versions: 35.8.5, 38.5.5, 39.4.2, or 40.1.1.

If upgrading immediately is not possible, consider disabling the postgres_meta metadata plugin to prevent exploitation.

Restrict access to the DID search API endpoint to trusted users only, as exploitation requires authentication.

Review and limit the database privileges assigned to the Rucio service account to minimize potential damage if exploited.

Monitor logs and network traffic for suspicious activity targeting the vulnerable endpoint.

Useful 0 Not Useful 0