2025-08-05 –, Florentine A
In this session, we will delve into CVE-2024-10979, discovered by Varonis Threat Labs, and explain how it can be exploited to execute arbitrary code on cloud-hosted databases. Join us to gain insights into this significant Remote Code Execution (RCE) vulnerability and learn strategies for defending and testing managed databases for vulnerabilities.
In this session, we will describe how an attempt to find a vulnerability in a popular IaaS provider led to the discovery of this issue and how we leveraged it along with several other bugs into an RCE. We will explain the operation of cloud-managed PostgreSQL and our approach to testing it. Additionally, we will present a series of vulnerabilities identified and discuss how exploitation of these techniques can be detected in AWS, other cloud providers, and databases that are not managed by a cloud provider. A demonstration of the vulnerability on a local instance will be provided, followed by a summary of takeaways related to using open-source code, shared responsibility models, and cloud security best practices.
We will bring our story, which was overall a challenging and exciting experience that ended with our database being blocked, and further collaboration with AWS.
Coby Abrams is a Cloud Security Researcher at Varonis, specializing in Azure and IaaS research, including in-depth overviews of various services. With experience in various types of security research, Coby has also led several cybersecurity courses.
Tal Peleg, also known as TLP, is a senior security researcher and cloud security team lead at Varonis. He is a full-stack hacker with experience in malware analysis, Windows domains, SaaS applications, and cloud infrastructure. His research is currently focused on cloud applications and APIs.