Full Report
Wiz Research discovers a chain of critical vulnerabilities in the widely used Azure Database for PostgreSQL Flexible Server.
Analysis Summary
# Vulnerability: Cross-Tenant Data Exposure in Azure Database for PostgreSQL Flexible Server (ExtraReplica)
## CVE Details
- CVE ID: Not assigned (The article notes this is a cloud vulnerability and did not receive a CVE identifier, but will be documented in the `csp_security_mistakes` GitHub project)
- CVSS Score: Not provided
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) likely applies, though not explicitly stated.
## Affected Systems
- Products: Azure Database for PostgreSQL Flexible Server
- Versions: All versions of Azure Database for PostgreSQL Flexible Server, **except** those explicitly configured with Private access (VNet configuration).
- Configurations: Single Server instances are explicitly stated as **not affected**.
## Vulnerability Description
The vulnerability, dubbed **#ExtraReplica**, allowed an attacker who could achieve code execution on their own PostgreSQL Flexible Server instance to bypass tenant isolation and gain unauthorized read access to other customers' PostgreSQL databases.
The attack chain involved two main steps:
1. **Initial Code Execution:** Exploiting a flaw in the Azure PostgreSQL Flexible Server service to gain code execution on the customer's dedicated instance.
2. **Authentication Bypass:** Exploiting an overly permissive regular expression validation for the database certificate's Common Name (CN). The regex allowed a wildcard (`.*`) at the end, enabling an attacker to issue a certificate destined for an arbitrary domain (e.g., `replication.XXX.database.azure.com.attackerdomain.com`) and successfully authenticate to a targeted PostgreSQL instance belonging to a separate tenant.
This allowed for database replication attempts, leading to cross-account database access.
## Exploitation
- Status: Vulnerability disclosed, **no evidence of exploitation in the wild** reported by Microsoft.
- Complexity: Assumed **Medium to High**, as it required a complex multi-stage chain (code execution + specific certificate manipulation).
- Attack Vector: Network (Internal network access achieved following initial service compromise).
## Impact
- Confidentiality: **High** (Unauthorized read access to other customers' database content).
- Integrity: **Low to Medium** (Primary impact was read access, though replication suggests potential for interaction if utilized differently).
- Availability: **Low** (The attack focused on data access, not denial of service).
## Remediation
### Patches
- Microsoft confirmed the issue has been **fully mitigated**. No specific patch version was provided as the issue was resolved server-side by Azure.
### Workarounds
- **No action is required by Azure customers** as the mitigation is complete.
- **Mitigation for customers:** Ensure PostgreSQL Flexible Servers are **NOT** using Public access. Affected servers were those not explicitly using the VNet network configuration (Private access).
## Detection
- Indicators of Compromise (IOCs): Not specified, as the vulnerability was patched prior to widespread exploitation.
- Detection methods and tools: Not detailed, likely involving monitoring for abnormal certificate authentication patterns or internal network scanning originating from host VMs.
## References
- Vendor Advisory: `<aka.ms/PostgreSQLFlexible2022APR28>` (Defanged)
- Research Post: Wiz Research on ExtraReplica (If available, usually found via the hashtags/links in the original source).
- Cloud Vulnerability Documentation: Documented in the `csp_security_mistakes` GitHub project.