HomeWinBuzzer NewsAzure PostgreSQL "ExtraReplica" Vulnerability Gets Patch from Microsoft

Azure PostgreSQL “ExtraReplica” Vulnerability Gets Patch from Microsoft

A chain of vulnerabilities in Microsoft’s Azure PostgreSQL could allow attacks but has already been patched by the company.

-

has sent out a patch for a vulnerability in its Azure PostgreSQL service. According to researchers who published an advisory on the “ExtraReplica” flaw, it could allow a threat actor to exploit the bug and execute malicious code to take over a system.

Found by the security firm Wiz Research, the ExtraReplica flaw in Azure PostgreSQL is a database vulnerability. In an advisory published this week, the team says the bug could leave to exploit on cloud services.

“This vulnerability allows unauthorized read access to other customers' PostgreSQL databases, bypassing tenant isolation. If exploited, a malicious actor could have replicated and gained read access to Azure PostgreSQL Flexible Server customer databases.”

According to the researchers, ExtraReplica is a “chain” of flaws in PostgreSQL that an attacker could exploit to bypass the tenant isolation in Azure. The base of an attack would be exploiting a vulnerability that attackers could exploit and gain access to PostgreSQL databases without needing authorized access.

Attack

When the threat actor picks a Flexible Server to attack on PostgreSQL, they will need to find the relevant Azure region for the victim. This can be done by matching the database domain name to the Azure public IP.

The attacker then creates a database in the same region as the target system. One of the vulnerabilities allows the attacker to create superuser privileges that allow them to execute code. The next flaw is in the certificate which allows the attack to replicate it to gain wider access.

Microsoft has known about the bug since January and was able to replicate the flaw. Wiz was given a $40,000 bug bounty for finding the vulnerability and Microsoft rolled out a fix back on February 25. Microsoft says there have been no recorded in the wild.

Tip of the day: Do you sometimes face issues with where it doesn't find files or return results? Check our tutorial to see how to fix Windows search via various methods.

SourceWiz
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News