On Thursday, Microsoft fixed two problems with the Azure Database for PostgreSQL Flexible Server, which may lead to illegal cross-account database access in a region.
“By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases,” Microsoft Security Response Center (MSRC) said.
The attack chain was called “ExtraReplica” by Wiz, a cloud security firm headquartered in New York City that discovered the holes. Microsoft stated that the flaw was fixed within 48 hours of its discovery on January 13, 2022. It concerns a situation of privilege escalation in the Azure PostgreSQL engine that allowed an attacker to build a database in the target’s Azure region and exfiltrate sensitive data, as well as a cross-account authentication bypass using a fake certificate.
In other words, successful exploitation of the severe weaknesses might have allowed an attacker to get unauthorized read access to different customers’ PostgreSQL databases, thereby bypassing tenant isolation. The privilege escalation was tracked back to a flaw caused by changes made to the PostgreSQL engine to tighten its privilege model and provide new functionality. ExtraReplica gets its name from a PostgreSQL function that allows users to replicate database data from one server to another, known as “replicating” the database.
According to Microsoft, the security issue affects PostgreSQL Flexible Server instances installed using the public access networking option. However, the company highlighted that it found no indication of the problem being actively abused, and no customer data was accessed. According to MSRC, customers are not obligated to take any action. Customers should enable private network access while setting up their Flexible Server instances to reduce their vulnerability further.
