The cloud cybersecurity firm, Wiz discovered a chain of critical vulnerabilities in the widely used Azure Database for PostgreSQL Flexible Server. This could result in unauthorized cross-account database access in a region.
The vulnerabilities were reported to Microsoft Security Response Center (MSRC) by Wiz under Coordinated Vulnerability Disclosure (CVD). The Wiz researchers call the exploit chain “ExtraReplica”, and the flaws affected the database replication feature.
The study published by Wiz says, “ExtraReplica vulnerability allows unauthorized read access to other customers’ PostgreSQL databases, bypassing tenant isolation. If exploited, a malicious actor could have replicated and gained read access to Azure PostgreSQL Flexible Server customer databases.”
Microsoft was informed about the vulnerabilities in January and implemented patches within 48 hours.
Critical Flaws Let Attackers to Bypass Authentication to Gain Acess
The attack connects to a case of privilege escalation in the Azure PostgreSQL engine to gain code execution and a cross-account authentication bypass using a forged certificate, allowing an attacker to create a database in the target’s Azure region and exfiltrate sensitive information.
An advisory published by Microsoft states, “By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases”. The successful exploitation of the critical flaws might have enabled an adversary to gain unauthorized read access to other customers’ PostgreSQL databases, effectively bypassing tenant isolation.
Microsoft Fixes the Vulnerability
Microsoft mentions that the fixes included: Blocking the copy program in Postgres to alleviate the reported Remote Code Execution in the Flexible Server PostgreSQL service and fixing the verbose Postgres error message that displayed the certificate name.
Impact of the Vulnerability
Microsoft says all Flexible Server Postgres servers deployed using the public access networking option were impacted by this security vulnerability. Customers using the private access networking option were not exposed to this vulnerability. The Single Server offering of Postgres was not impacted.
Also, no customer data was accessed using this vulnerability. Azure updated all Flexible Servers to fix this vulnerability.
Finally, no action is required by customers. To further minimize exposure, Microsoft recommends that customers enable private network access when setting up their Flexible Server instances.