Multiple critical vulnerabilities in Azure Database for PostgreSQL Flexible Server were recently discovered and fixed, Microsoft has announced in a security advisory.
As reported by BleepingComputer, the vulnerabilities could have allowed malicious users to escalate privileges and access customer databases. Luckily, the exploit was not used to attack Azure customers before the fix was issued, and no data was taken, Microsoft confirmed.
Given that the patch was deployed more than a month ago, Azure customers need to take no additional steps to protect their endpoints.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Fixes deployed
With Flexible Server, Azure Database for PostgreSQL users have more control over their databases. However, in this case, Flexible Server had created an opening for attack.
“By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases,” Microsoft said.
“This was mitigated within 48 hours (on January 13, 2022). Customers using the private access networking option were not exposed to this vulnerability. The Single Server offering of Postgres was not impacted.”
By the end of February, all fixes were deployed, Microsoft went on to explain.
Still, the company said it would be wise to deploy PostgreSQL flexible servers on Azure virtual networks (VNet), as they provide private and secure network communication.
“In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances,” the company said.
Wiz Research, the cloud security company that first discovered the bug, dubbed it ExtraReplica, and added that there were some challenges to keeping track of cloud vulnerabilities.
“As with other cloud vulnerabilities, this issue did not receive a CVE identifier (unlike software vulnerabilities). It is not recorded or documented in any database,” it said. “The absence of such a database impairs the ability of customers to monitor, track, and respond to cloud vulnerabilities.”
Via BleepingComputer