On Thursday, Microsoft said it had patched a pair of flaws with the Azure Database for PostgreSQL Flexible Server that can lead to unauthorised cross-account database access in a region.
“By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases,” Microsoft Security Response Center (MSRC) said.
Wiz, a New York cloud security company Wiz, tracked the flaws called the exploit chain “ExtraReplica.” Microsoft said it remedied the bug within 48 hrs of the bug’s first detection.
The attack entails privilege escalation in the Azure PostgreSQL engine to execute code and a cross-account authentication bypass through a forged certificate. It allows an attacker to create a database in the target’s Azure region and pilfer sensitive information.
If an attacker successfully exploits the flaw, the attacker can illegally access other customers’ PostgreSQL databases, effectively evading tenant isolation.
Wiz traced the privilege escalation bug to alterations in the PostgreSQL for hardening their privilege model and including new features. The name ExtraReplica comes from the exploit using a PostgreSQL feature that allows copying databases from one server to another, “replicating” the database.
“No action is required by customers,” MSRC said. “In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances.”