Microsoft Azure bug left a bunch of cloud databases wide open

Several critical vulnerabilities in Azure Database for PostgreSQL Flexible Server were recently discovered and patched, Microsoft announced in a security advisory.

As reported by BeepComputer, the vulnerabilities could have allowed malicious users to elevate their privileges and gain access to customer databases. Fortunately, the exploit was not used to attack Azure customers before the patch was released, and no data was taken, Microsoft confirmed.

Since the patch was rolled out over a month ago, Azure customers don’t need to take any additional steps to protect their endpoints.

Patches deployed

With Flexible Server, Azure Database for PostgreSQL users have more control over their databases. However, in this case, Flexible Server had created an opening for the attack.

“By exploiting an elevated permissions bug in the flexible server authentication process for a replication user, a malicious user could exploit a poorly anchored regular expression to bypass authentication to access other people’s databases. customers,” Microsoft said.

“This was mitigated within 48 hours (January 13, 2022). Customers using the private access networking option were not exposed to this vulnerability. Postgres’ single-server offering did not not been affected.”

By the end of February, all patches were rolled out, Microsoft continued.

Still, the company said it would be a good idea to deploy PostgreSQL flexible servers on Azure Virtual Networks (VNets) because they provide private and secure network communication.

“To further minimize exposure, we recommend that customers enable private network access when configuring their Flexible Server instances,” the company said.

Wiz Research, the cloud security company that first discovered the bug, dubbed it ExtraReplica, and added that there were difficulties tracking cloud vulnerabilities.

“As with other cloud vulnerabilities, this issue has not been assigned a CVE identifier (unlike software vulnerabilities). It is not logged or documented in any database,” he said. “The lack of such a database impairs customers’ ability to monitor, track and respond to cloud vulnerabilities.”

Via BleepingComputer

Leave a Comment