ExtraReplica: Microsoft patches cross-tenant bug in Azure PostgreSQL

The flaw was exploitable to conduct privilege escalation and code execution.
Written by Charlie Osborne, Contributing Writer

Microsoft has patched a security weakness in Azure PostgreSQL which could have been exploited to execute malicious code.

On Thursday, researchers from Wiz Research published an advisory on "ExtraReplica," described as a "cross-account database vulnerability" in Azure's infrastructure.

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers.

According to Wiz, a "chain" of vulnerabilities could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems customers from accessing resources belonging to other tenants.

ExtraReplica's core attack vector is based on a flaw that allowed attackers read access to PostgreSQL databases without authorization.

Once a target, public PostgreSQL Flexible Server has been selected, an attacker has to find the target's Azure region "by resolving the database domain name and matching it to one of Azure's public IP ranges," according to Wiz.

An attacker-controlled database then has to be created in the same region. The first vulnerability, found in Azure's PostgreSQL engine modifications, would be exploited on the attacker-controlled instance, leading to escalated 'superuser' privileges and the ability to execute code.

The second bug in the chain, buried in the certificate authentication process, would then be triggered on the target instance via replication to gain read access.

While this attack could be used on a subnet, the Certificate Transparency feed could also be abused to retrieve domain SSL certificates and extract a database's unique identifier, thereby expanding the potential attack surface beyond a subnet.

An attacker would need to retrieve target information from the Certificate Transparency feed and purchase a "specifically crafted certificate" from a CA to perform such an exploit.

The vulnerability doesn't, however, impact Single Server instances or Flexible servers with "VNet network configuration (Private access)" enabled, according to the researchers.

The vulnerability was disclosed to Microsoft in January. Microsoft's security team triaged the vulnerability and was able to replicate the flaw.

Wiz was awarded a bug bounty of $40,000 for its report and a fix was rolled out by February 25 by the Redmond giant. Now fully mitigated, Azure customers do not need to take any action.

Microsoft is not aware of any exploitation in the wild.

"We appreciate MSRC's cooperation and their attentiveness to our report," the researchers commented. "Their professional approach and close communication throughout the disclosure process is a model for all vendors."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards