Microsoft fixes Azure ExtraReplica bugs that exposed user databases

Microsoft has patched a chain of critical vulnerabilities found in Azure Database for PostgreSQL Flexible Server that could allow malicious users to elevate their privileges and gain access to other customers’ databases after bypassing authentication.

The flexible server deployment option for Azure Database for PostgreSQL gives customers the maximum possible control over their databases, including fine-tuning and multiple configuration parameters.

“By exploiting an elevated permissions bug in the flexible server authentication process for a replication user, a malicious user could take advantage of a poorly anchored regular expression to bypass authentication to access databases other customers,” the Microsoft Security Response Center team explained today.

“This was mitigated within 48 hours (January 13, 2022). [..] Customers using the private access networking option were not at risk from this vulnerability. Postgres’ single-server offering was not impacted.”

Microsoft deployed patches to all Flexible Servers by February 25, 2022 to address a remote code execution flaw in the Flexible Server PostgreSQL service and an elevation of privilege bug.

The research team at cloud security company Wiz, which discovered the security bugs, collectively dubbed them ExtraReplica and disclosed them to Microsoft on January 11, 2022.

As explained by Microsoft, Wiz researchers took the following steps to gain elevated privileges and remote code execution, which allowed them to bypass cross-account authentication using a fake certificate and to access the databases of other customers:

  1. Choose a target PostgreSQL flexible server.
  2. Retrieve the target common name from the Certificate Transparency stream.
  3. Purchase a specially crafted certificate from DigiCert or a DigiCert Intermediate Certificate Authority.
  4. Find the target Azure region by resolving the database domain name and matching it to one of Azure’s public IP address ranges.
  5. Create an attacker-controlled database in the target’s Azure region.
  6. Exploit vulnerability #1 on the instance controlled by the attacker to elevate privileges and obtain code execution.
  7. Scan the subnet for the target instance and exploit vulnerability #2 to gain read access!
ExtraReplica Attack Stream
ExtraReplica Attack Stream (Wiz)

Microsoft says that none of its Azure customers using the affected flexible servers prior to the patch deployment were affected in any way, and no customer data was accessed without authorization by exploiting the ExtraReplica vulnerability chain.

Since the company has already patched security vulnerabilities on all vulnerable database servers, customers are not required to take any action to protect their data.

However, Microsoft recommends deploying PostgreSQL flexible servers on Azure Virtual Networks (VNet), which provides private and secure network communication.

“To further minimize exposure, we recommend that customers enable private network access when configuring their flexible server instances,” Redmond explained.

“As with other cloud vulnerabilities, this issue has not been assigned a CVE identifier (unlike software vulnerabilities). It is not recorded or documented in any database,” added the Wiz research team. .

“The lack of such a database impairs customers’ ability to monitor, track and respond to cloud vulnerabilities.”

Disclosure schedule:

  • 11/01/22 – Wiz Research reported the vulnerabilities to MSRC (Case 69557)
  • 01/13/22 – MSRC began investigating vulnerabilities and later fixed the certificate issue (vulnerability #2)
  • 01/14/22 – MSRC has verified their fix as observed by Wiz Research (Certificate Transparency).
  • 01/15/22 – MSRC awarded Wiz Research a $40,000 bounty
  • 01/18/22 – MSRC says it has successfully reproduced all vulnerabilities
  • 02/25/22 – A fix has been deployed to all vulnerable instances

Last year, the Wiz research team also revealed a new class of DNS vulnerabilities affecting major DNS-as-a-Service (DNSaaS) providers and allowing attackers to access sensitive information from corporate networks. in what they described as “nation-state level espionage”. campaigns.

The researchers also discovered several other security flaws in Microsoft Azure products, including Azure Cosmos DB, Open Management Infrastructure (OMI) software agent, and Azure App Service.

Previous cybersecurity guidelines: the government publishes new cybersecurity guidelines
Next Microsoft Flight Simulator is hit by bugs after the release of Sim Update 9