Cross Tenant bug in PostgreSQL

Microsoft has patched a flaw in Azure PostgreSQL which could have been exploited to execute malicious code described as a cross-account database vulnerability in Azure’s infrastructure.

According to researchers, a chain of vulnerabilities could be used to bypass Azure’s tenant isolation, which prevents SaaS systems customers from accessing resources belonging to other tenants.

The core attack vector is based on a flaw that allowed attackers read access to PostgreSQL databases without authorization.

Once public PostgreSQL Flexible Server has been selected a target, an attacker has to find the target’s Azure region by resolving the database domain name and matching it to one of Azure’s public IP ranges.

An attacker-controlled database then has to be created in the same region. The first vulnerability, found in Azure’s PostgreSQL engine modifications, would be exploited on the attacker-controlled instance, leading to escalated ‘superuser’ privileges and the ability to execute code.

The second bug, buried in the certificate auth process, would then be triggered on the target instance via replication to gain read access.

The Certificate Transparency feed could also be abused to retrieve domain SSL certificates and extract a database’s unique identifier, thereby expanding the potential attack surface beyond a subnet.

An attacker would need to retrieve target information from the Certificate Transparency feed and purchase a “specifically crafted certificate” from a CA to perform such an exploit.

The vulnerability doesn’t impact Single Server instances or Flexible servers with “VNet network configuration” enabled, according to the researchers.

The vulnerability was disclosed to Microsoft in January. Microsoft’s security team triaged the vulnerability and was able to replicate the flaw. Microsoft mitigated the flaw and also says it not aware of exploit in wild.

some part of content referred from ZDNet