Register now for better personalized quote!

ExtraReplica: Microsoft patches cross-tenant bug in Azure PostgreSQL

Apr, 28, 2022 Hi-network.com

Microsoft has patched a security weakness in Azure PostgreSQL which could have been exploited to execute malicious code.

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read now

On Thursday, researchers from Wiz Research published an advisory on "ExtraReplica," described as a "cross-account database vulnerability" in Azure's infrastructure.

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers.

According to Wiz, a "chain" of vulnerabilities could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems customers from accessing resources belonging to other tenants.

ExtraReplica's core attack vector is based on a flaw that allowed attackers read access to PostgreSQL databases without authorization.

Once a target, public PostgreSQL Flexible Server has been selected, an attacker has to find the target's Azure region "by resolving the database domain name and matching it to one of Azure's public IP ranges," according to Wiz.

An attacker-controlled database then has to be created in the same region. The first vulnerability, found in Azure's PostgreSQL engine modifications, would be exploited on the attacker-controlled instance, leading to escalated 'superuser' privileges and the ability to execute code.

The second bug in the chain, buried in the certificate authentication process, would then be triggered on the target instance via replication to gain read access.

While this attack could be used on a subnet, the Certificate Transparency feed could also be abused to retrieve domain SSL certificates and extract a database's unique identifier, thereby expanding the potential attack surface beyond a subnet.

An attacker would need to retrieve target information from the Certificate Transparency feed and purchase a "specifically crafted certificate" from a CA to perform such an exploit.

The vulnerability doesn't, however, impact Single Server instances or Flexible servers with "VNet network configuration (Private access)" enabled, according to the researchers.

The vulnerability was disclosed to Microsoft in January. Microsoft's security team triaged the vulnerability and was able to replicate the flaw.

Wiz was awarded a bug bounty of$40,000 for its report and a fix was rolled out by February 25 by the Redmond giant. Now fully mitigated, Azure customers do not need to take any action.

Microsoft is not aware of any exploitation in the wild.

"We appreciate MSRC's cooperation and their attentiveness to our report," the researchers commented. "Their professional approach and close communication throughout the disclosure process is a model for all vendors."

Previous and related coverage

  • Microsoft continues its push to convince more game developers to use Azure
  • What is Microsoft Azure? The business guide to Redmond's cloud service
  • Cloud computing: Microsoft fixes Azure flaw that could have allowed access to other accounts

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.