Multiple critical vulnerabilities in Azure Database for PostgreSQL Flexible Server were recently discovered and fixed, Microsoft has announced in a security advisory.
As reported by BleepingComputer, the vulnerabilities could have allowed malicious users to escalate privileges and access customer databases. Luckily, the exploit was not used to attack Azure customers before the fix was issued, and no data was taken, Microsoft confirmed.
Given that the patch was deployed more than a month ago, Azure customers need to take no additional steps to protect their endpoints.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
With Flexible Server, Azure Database for PostgreSQL users have more control over their databases. However, in this case, Flexible Server had created an opening for attack.
"By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases," Microsoft said.
"This was mitigated within 48 hours (on January 13, 2022). Customers using the private access networking option were not exposed to this vulnerability. The Single Server offering of Postgres was not impacted."
By the end of February, all fixes were deployed, Microsoft went on to explain.
Still, the company said it would be wise to deploy PostgreSQL flexible servers on Azure virtual networks (VNet), as they provide private and secure network communication.
"In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances," the company said.
Wiz Research, the cloud security company that first discovered the bug, dubbed it ExtraReplica, and added that there were some challenges to keeping track of cloud vulnerabilities.
"As with other cloud vulnerabilities, this issue did not receive a CVE identifier (unlike software vulnerabilities). It is not recorded or documented in any database," it said. "The absence of such a database impairs the ability of customers to monitor, track, and respond to cloud vulnerabilities."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.