Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution

MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases. This was mitigated within 48 hours (on January 13, 2022).

Customer Impact:

All Flexible Server Postgres servers deployed using the public access networking option were impacted with this security vulnerability. Customers using the private access networking option were not exposed to this vulnerability. The Single Server offering of Postgres was not impacted.
Our analysis revealed no customer data was accessed using this vulnerability. Azure updated all Flexible Servers to fix this vulnerability.
No action is required by customers. In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances. For information about this, please see the Flexible Server networking documentation.

Microsoft’s Response:

Microsoft took the following steps after this issue was brought to our attention:

1. We took a proactive approach to first address the most critical vulnerability by preventing cross-tenant attack that addresses any lateral data access. These fixes were rolled out worldwide on January 13, 2022.
   • Provide complete isolation between different tenants’ underlying virtual machine instances.
   • Fixing the pg_ident.conf issue to allow replication permissions only when the exact subject name is matched instead of a prefix match.
2. During that patch rollout, we also addressed all new server creations to have blocked both elevated privileged access and remote code access.
3. After fixes were deployed, our security teams and Wiz validated the fixes.
4. We finished updating the entire fleet of existing servers which addressed the remaining issues by February 25, 2022. The fixes included:
   • Blocking the copy program in Postgres to mitigate the reported Remote Code Execution in the Flexible Server PostgreSQL service
   • Fixing the verbose Postgres error message that displayed the certificate name

Technical details:

The following were the steps used to gain elevation of privilege and remote code execution:

1. An issue with how extensions were handled in our specific implementation of Postgres pg_admin could potentially allow pg_admin to elevate to Superuser
2. Due to the insufficient network isolation between Flexible Server instances, it was possible for an attacker to discover and try to connect to other Flexible Server instances within the region.
3. With an overly permissive regular expression used to map certificate common names to users, it was possible to bypass the certificate authentication used for replication connections between Flexible Server Postgres instances.

Wiz has posted a blog about this issue available here. We would like to thank Wiz who found this issue and worked closely with Microsoft to help secure our customers.