v.23.11Improvement

Potential Vulnerability in ClickHouse: Unauthenticated Exploitation via Ignored Packets

Official CH changelog text
There was a potential vulnerability in previous ClickHouse versions: if a user has connected and unsuccessfully tried to authenticate with the "interserver secret" method, the server didn't terminate the connection immediately but continued to receive and ignore the leftover packets from the client. While these packets are ignored, they are still parsed, and if they use a compression method with another known vulnerability, it will lead to exploitation of it without authentication. This issue was found with ClickHouse Bug Bounty Program by https://twitter.com/malacupa. #56794 (Alexey Milovidov).
Fixed a security vulnerability where unsuccessful authentication using the "interserver secret" method allowed clients to send leftover compressed packets that could be exploited without authentication.

Why it matters

Previous ClickHouse versions did not immediately terminate connections after failed "interserver secret" authentication attempts, allowing malicious clients to send compressed packets that were parsed and could exploit known compression vulnerabilities without proper authentication. This fix prevents such exploitation by closing connections promptly upon authentication failure.

How to use it

This security fix is applied automatically in the updated ClickHouse server version. Users should upgrade to this version to ensure immediate connection termination after failed "interserver secret" authentication attempts, thereby mitigating the vulnerability.

Related resources

PreviousNext