Wiz: Vulnerability In Microsoft Azure Database Allowed Access To Sensitive Customer Data
The flaw ‘broke one of the fundamental things about the cloud – that you can’t access another person’s data,’ says security provider Wiz.
Cloud security provider Wiz disclosed Thursday that earlier this year it alerted Microsoft about vulnerabilities the company said it found in the popular Azure Database for PostgreSQL Flexible Server – and Microsoft said in a blog post this morning that the problems have been fixed and that “our analysis revealed no customer data was accessed using this vulnerability.”
According to a Wiz blog post Thursday morning, the security flaws permitted Wiz researchers to effectively bypass tenant isolation and allow unauthorized cross-account read access to other customers’ cloud databases.
Shir Tamari, head of research at the Tel Aviv, Israel-based Wiz, told CRN that his company’s researchers discovered two key vulnerabilities that violated “fundamental premises” of cloud databases.
First, researchers discovered that they could effectively “take control” of their own cloud database and its codes, something most cloud providers, including Microsoft, prohibit due to concerns over database stability, Tamari said.
Second and more significantly, Wiz researchers discovered that once they had taken effective control of the coding for their own cloud database, they could use their account as a base to access other customers’ sensitive data, Tamari said.
Sagi Tzadik, a security researcher at Wiz, said the access to other customers’ data “broke one of the fundamental things about the cloud – that you can’t access another person’s data.” But that’s exactly the critical flaw that researchers discovered in the Azure database, said Tzadik.
“We could actually review other people’s data,” Tzadik said. “You could find just about anything.”
Wiz researchers dubbed the access vulnerability “#ExtraReplica.” Tamari said it’s basically a classic privileged-escalation vulnerability
In their blog post, Wiz researchers described #ExtraReplica as a serious vulnerability.
“If exploited, a malicious actor could have replicated and gained read access to Azure PostgreSQL Flexible Server customer databases,” Wiz researchers wrote. “Wiz Research disclosed #ExtraReplica to Microsoft in January 2022. Microsoft confirmed that the issue has been fully mitigated, and no action is required by Azure customers.”
In Microsoft’s blog post, the company seemed to acknowledge the potential seriousness of the now-fixed access problem.
“By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases,” Microsoft said in its post. “This was mitigated within 48 hours (on January 13, 2022).”
Microsoft’s blog added: “Our analysis revealed no customer data was accessed using this vulnerability. Azure updated all Flexible Servers to fix this vulnerability. No action is required by customers.”
In their blog post, Wiz researchers said this wasn’t the first time they discovered security problems at Azure.
“We previously found vulnerabilities in Azure Cosmos DB,” they wrote, referring to another Microsoft cloud database service. “At BlackHat Europe 2021, we presented ‘ChaosDB: How We Hacked Databases of Thousands of Azure Customers’ — disclosing how we gained unrestricted access to the databases of Microsoft Azure customers through a chain of misconfigurations in Azure Cosmos DB.”