Microsoft announced Thursday that they have resolved two issues in the Azure Database for PostgreSQL Flex Server. This could allow unauthorised cross-account access to a database in a particular region.
“By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases,” Microsoft Security Response Center (MSRC) said.
New York City-based cloud security company Wiz, which uncovered the flaws, dubbed the exploit chain “ExtraReplica.” Microsoft said it mitigated the bug within 48 hours of disclosure on January 13, 2022.
Specifically, it relates to a case of privilege escalation in the Azure PostgreSQL engine to gain code execution and a cross-account authentication bypass by means of a forged certificate, allowing an attacker to create a database in the target’s Azure region and exfiltrate sensitive information.
In other words, an adversary could exploit the critical flaws to gain unauthorized read access to PostgreSQL databases of customers to circumvent tenant isolation.
Wiz reduced privilege escalation due to a bug that stemmed from modifications made in the PostgreSQL Engine to their privilege model to add more features and harden them. The name ExtraReplica comes from the fact that the exploit leverages a PostgreSQL feature that permits copying database data from one server to another, i.e., “replicating” the database.
The Windows manufacturer described the vulnerability as being able to affect PostgreSQL Flexible server instances using the public-access networking option ,, but said that there was no evidence that the flaw had been actively exploited or that customer data was accessed.
“No action is required by customers,” MSRC said. We recommend customers allow private network access to their Flexible Server instances in order to reduce exposure. “