PostgreSQL JDBC Driver Channel Binding Vulnerability Allowing Insecure Authentication

A vulnerability in the PostgreSQL JDBC driver versions 42.7.4 prior to 42.7.7 allows connections to use authentication methods that do not support channel binding, despite channel binding being set to required. This flaw could enable a man-in-the-middle attacker to intercept connections under the false impression that they were secured by channel binding. The issue arises because the driver improperly handled channel binding requirements for non-SASL authentication methods, such as password, MD5, GSS, or SSPI authentication.

Impact

Exploitation of this vulnerability could lead to man-in-the-middle attacks, allowing interception of connections that were believed to be protected by channel binding requirements.

Reproduction

To reproduce this vulnerability, configure the PostgreSQL JDBC driver to require channel binding and attempt to connect using an authentication method that does not support channel binding, such as MD5 or password authentication. The connection should be intercepted to demonstrate the vulnerability.

Remediation

Users can update to PostgreSQL JDBC Driver version 42.7.7, which addresses this vulnerability by ensuring that when channel binding is set to 'require', the driver rejects connections using non-SASL authentication methods or when SASL authentication has not been properly completed.