Microsoft has released new patches to address critical security vulnerabilities affecting its Azure PostgreSQL product. Discovered by security researchers from Wiz Research, the “chain” of flaws dubbed “ExtraReplica” could be exploited to gain unauthorized cross-account database access.
According to the security advisory published by the Wiz Research team, the vulnerabilities allow attackers to bypass tenant isolation in Azure’s infrastructure. ExtraReplica exploits a flaw that lets unauthorized users get read access to PostgreSQL databases.
“By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases. This was mitigated within 48 hours (on January 13, 2022),” Microsoft Security Response Center (MSRC) explained.
Specifically, the threat actor first selects a public PostgreSQL Flexible Server and then finds the target’s Azure region. Once done, they create an attacker-controlled database in the same region.
The attacker can now exploit the first security flaw on the target attacker-controlled instance. This vulnerability was discovered in Azure’s PostgreSQL engine modifications, and it makes it possible to escalate privileges and run malicious code. The next step involves abusing the second flaw found in the certificate authentication process to gain read access to the target instance.
Microsoft fixes the ExtraReplica bug on all vulnerable servers
It is important to note that the security vulnerabilities don’t affect “Single Server instances or Flexible servers with the explicit VNet network configuration (Private access).” Microsoft says that it has addressed the flaws on all vulnerable servers. The company reiterated that it had not found evidence that this vulnerability was actively exploited or compromised customer data.
“No action is required by customers. In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances,” MSRC added. We invite you to check out the Flexible Server networking support page for more details.