Discovery Of A Remote Code Execution Flaw

Uploaded on 2025-08-12 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Researchers at Varonis Threat Labs have uncovered a significant remote code execution (RCE) vulnerability in PostgreSQL, a widely used open-source database system. Named "Rusty Pearl," this flaw exploits vulnerabilities in the PL/Perl and PL/Rust extensions, enabling attackers to execute arbitrary commands on the database server’s operating system.

Such an attack could lead to data theft, destruction, or provide an entry point for broader network breaches.

The discovery, presented by researchers Tal Peleg and Coby Abrams at DEF CON 2025 in Las Vegas, highlights the critical need for robust database security in an increasingly connected world.

How the Vulnerability Works

The vulnerability originates in PL/Perl, a trusted language extension included in many default PostgreSQL distributions, which allows functions to be written in Perl. Despite its "trusted" status, PL/Perl permits manipulation of environment variables through Perl’s %ENV hash map, bypassing security restrictions like Perl’s “Strict” and “Opcode” modules.

Varonis researchers leveraged this to set environment variables in PostgreSQL session worker processes, creating a pathway to escalate privileges.

This pathway was combined with a flaw in PL/Rust, a newer extension allowing Rust-based functions. When a PL/Rust function is created, the extension triggers a compilation process via Rust’s package manager, `cargo`, which inherits the modified environment variables set by PL/Perl.

By manipulating these variables, attackers can redirect `cargo` to execute arbitrary binaries, such as `rust-gdb` or `/bin/bash`. In lab tests, Varonis achieved RCE by using `rust-gdb` to run commands like `id` or by exploiting `BASH_ENV` to execute shell commands, demonstrating the vulnerability’s potential to compromise systems.

Testing On Amazon RDS & AWS Response

Varonis tested the exploit on Amazon Relational Database Service (RDS) and Amazon Aurora, managed cloud services supporting PostgreSQL. While the vulnerability was present in PostgreSQL, AWS’s robust security measures, including SELinux and automated protections, prevented successful exploitation. Attempts to execute commands on RDS were quickly detected and halted, with no access to sensitive data or cross-customer information.

AWS confirmed that RDS and Aurora were unaffected but urged customers to upgrade to the latest PostgreSQL versions as a precaution. The PostgreSQL team released patches on 14 November 2024, and AWS issued a statement on 6 May 2025, commending Varonis for their responsible disclosure.

Implications for Database Security

The Rusty Pearl vulnerability highlightss the risks posed by extensions in database systems. PL/Perl’s widespread inclusion in default PostgreSQL builds, including those on RDS, makes it a prime target for attackers. PL/Rust, while less common, introduces additional risks due to its reliance on external tools like `rustc` and `cargo`.

The ability to manipulate environment variables and execute arbitrary code highlights the need for stringent access controls and vigilant monitoring, particularly for unmanaged PostgreSQL deployments.

The vulnerability also raises concerns about custom extensions, which may harbour similar flaws, amplifying the attack surface in complex database environments.

Recommendations For Mitigation

Varonis and AWS have issued clear guidance to mitigate the risks posed by Rusty Pearl. PostgreSQL users, whether on standalone or cloud-managed deployments like RDS, should upgrade to the latest minor version of the database. For those using PL/Rust, updating the extension and removing debugging tools like `rust-gdb` from production environments is critical.

Database administrators are advised to restrict unused extensions by configuring the `rds.allowed_extensions` parameter in RDS, ensuring only approved extensions are enabled. Monitoring error logs for suspicious activity is also essential to detect potential exploits early.

Strengthening Cloud Security

Under AWS’s shared responsibility model, while the provider secures the database server and cluster, customers must configure network access, database permissions, and data protection. The Rusty Pearl case highlights the importance of adhering to security best practices, such as limiting privileged roles like `rds_superadmin` and implementing robust access controls. AWS provides resources to help customers secure RDS environments, and tools like Varonis for AWS offer advanced monitoring and threat detection capabilities.

Proactive Defence

The Rusty Pearl vulnerability serves as a stark reminder of the evolving threats facing database systems. By combining rigorous patch management, extension control, and proactive monitoring, organisations can safeguard their PostgreSQL environments against sophisticated attacks.

Varonis’s collaboration with AWS and the PostgreSQL community exemplifies the value of coordinated disclosure in addressing vulnerabilities swiftly, ensuring a more secure digital landscape.

Varonis Threat Labs

Image: 

You Might Also Read: 

Cloud Security Posture Management Emerges As A Key Element In Cyber Security:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Upskilling Must Be A Strategic Priority
Technical Issues Plague ChatGPT-5 »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Morgan Lewis Law

Morgan Lewis Law

Morgan Lewis is an international law firm with offices in North America, Europe, Asia, and the Middle East. Practice areas include Privacy and Cybersecurity.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

Rogue Wave Software

Rogue Wave Software

At Rogue Wave, our mission is to simplify your hardest problems, improve software quality and security, and shorten the time it takes to deliver value.

Careerjet

Careerjet

Careerjet is a leading online job search engine with a large presence worldwide, sourcing millions of job ads from thousands of websites from all over the world in areas including Cybersecurity.

Stratus Cyber

Stratus Cyber

Stratus Cyber is a premier Cyber Security company specializing in Managed Security Services. Our services include Blockchain Security, Pentesting, and Compliance Assessments.

M12

M12

M12 (formerly Microsoft Ventures) is the corporate venture capital subsidiary of Microsoft.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

Prove Identity

Prove Identity

Prove (formerly Payfone) is a leader in mobile & digital identity authentication for the connected world.

Nexor

Nexor

Nexor are a UK-based cyber security company with 30 years' experience in secure information exchange.

Vizius Group

Vizius Group

The Vizius Group are a think tank of cybersecurity consultants who understand the mechanics and business value of risk reduction.

Accenture

Accenture

Accenture is a leading global professional services company providing a range of strategy, consulting, digital, technology & operations services and solutions including cybersecurity.

AHAD

AHAD

AHAD provides cybersecurity, digital transformation, and risk management services and solutions to Government, Fortune 500, And Start-Up Companies in the Middle East region.

Cyber Capital Partners

Cyber Capital Partners

Cyber Capital Partners build strategic and financial partnerships with small and mid-sized cybersecurity companies in highly regulated markets.

EasySec Solutions

EasySec Solutions

EasySec Solutions provides a cyber-security platform, based on a combination of the zero trust model and the software-defined security management.

Securitribe

Securitribe

Securitribe provides cybersecurity and compliance solutions, including vCISO services, ISO27001, and ASD Essential 8 advisory, helping businesses and government strengthen security & compliance.