MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases. This was mitigated within 48 hours (on January 13, 2022).
All Flexible Server Postgres servers deployed using the public access networking option were impacted with this security vulnerability. Customers using the private access networking option were not exposed to this vulnerability. The Single Server offering of Postgres was not impacted.
Our analysis revealed no customer data was accessed using this vulnerability. Azure updated all Flexible Servers to fix this vulnerability.
No action is required by customers. In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances. For information about this, please see the Flexible Server networking documentation.
Microsoft took the following steps after this issue was brought to our attention:
We took a proactive approach to first address the most critical vulnerability by preventing cross-tenant attack that addresses any lateral data access. These fixes were rolled out worldwide on January 13, 2022.
During that patch rollout, we also addressed all new server creations to have blocked both elevated privileged access and remote code access.
After fixes were deployed, our security teams and Wiz validated the fixes.
We finished updating the entire fleet of existing servers which addressed the remaining issues by February 25, 2022. The fixes included:
The following were the steps used to gain elevation of privilege and remote code execution:
Wiz has posted a blog about this issue available here. We would like to thank Wiz who found this issue and worked closely with Microsoft to help secure our customers.