ExtraReplica: Microsoft patches certificate transparency bug in Azure PostgreSQL | ZDNet

Microsoft has patched a security weakness in Azure PostgreSQL which could have been exploited to execute malicious code.

On Thursday, researchers from Wiz Research published an advisory on “ExtraReplica,” described as a “cross-account database vulnerability” in Azure’s infrastructure.

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers.

According to Wiz, a “chain” of vulnerabilities could be used to bypass Azure’s tenant isolation, which prevents software-as-a-service (SaaS) systems customers from accessing resources belonging to other tenants.

ExtraReplica’s core attack vector is based on a flaw that allowed attackers read access to PostgreSQL databases without authorization.

Once a target, public PostgreSQL Flexible Server has been selected, an attacker has to find the target’s Azure region “by resolving the database domain name and matching it to one of Azure’s public IP ranges,” according to Wiz.

An attacker-controlled database then has to be created in the same region. The first vulnerability, found in Azure’s PostgreSQL engine modifications, would be exploited on the attacker-controlled instance, leading to escalated ‘superuser’ privileges and the ability to execute code.

The second bug in the chain, buried in the certificate authentication process, would then be triggered on the target instance via replication to gain read access.

While this attack could be used on a subnet, the Certificate Transparency feed could also be abused to retrieve domain SSL certificates and extract a database’s unique identifier, thereby expanding the potential attack surface beyond a subnet.

An attacker would need to retrieve target information from the Certificate Transparency feed and purchase a “specifically crafted certificate” from a CA to perform such an exploit.

The vulnerability doesn’t, however, impact Single Server instances or Flexible servers with “VNet network configuration (Private access)” enabled, according to the researchers.

The vulnerability was disclosed to Microsoft in January. Microsoft’s security team triaged the vulnerability and was able to replicate the flaw.

Wiz was awarded a bug bounty of $40,000 for its report and a fix was rolled out by February 25 by the Redmond giant. Now fully mitigated, Azure customers do not need to take any action.

Microsoft is not aware of any exploitation in the wild.

“We appreciate MSRC’s cooperation and their attentiveness to our report,” the researchers commented. “Their professional approach and close communication throughout the disclosure process is a model for all vendors.”

ZDNet has reached out to Microsoft and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.