Page 195 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 195
Azure PostgreSQL User Databases Were
Exposed Due to Critical Vulnerabilities
By Randy Reiter CEO of Don’t Be Breached
April, 2022 Microsoft reported that vulnerabilities in its Azure Database for PostgreSQL could
have let Hackers gain access to other customers' databases after bypassing authentication. "By
exploiting an elevated permissions bug in the Flexible Server authentication process for a
replication user, a malicious user could leverage an improperly anchored regular expression to
bypass authentication to gain access to other customers’ databases" the Microsoft Security
Response Center reported.
The cloud security firm Wiz's research team discovered the security vulnerabilities. An attacker
could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially
exfiltrating all the information stored in the database, says Ami Luttwak, co-founder and CTO at
Wiz.
Microsoft said it mitigated the issue on Jan. 13, 2022, less than 48 hours after Wiz had notified
it of the issue. Microsoft said its analysis showed no evidence of attackers having exploited the
vulnerabilities to access customer data. Wiz said Microsoft awarded its researchers a $40,000
bug bounty — the amount can be viewed as confirmation of the vulnerability’s severity.
195