2019 Q1 Recurity Assessment: Improper Certification Validation

https://gitlab.com/gitlab-com/gl-security/engineering/issues/329

Details

While reviewing the PostgreSQL replication configuration on the secondary node, a weak SSL/TLS configuration has been found. The configuration to connect to the primary node is set to verify-ca. As stated in the official PostgreSQL documentation, this results in the database not checking that the server hostname matches the name stored in the server certificate, thus accepting certificates issued for unrelated hosts.

Thus this configuration allows an attacker to spoof the PostgreSQL server of a primary node by using a Man-in-the-Middle (MitM) attack. The secondary node might connect to a malicious host while believing it is trusted, or might be deceived into accepting spoofed data that appears to originate from a trusted source.

Reproduction Steps

Observe the secondary node configuration at /var/opt/gitlab/postgresql/data/recovery.conf.

Recommendation

Recurity Labs recommends changing the configuration to verify-full, as stated in the official PostgreSQL documentation.