Two Critical Flaws Found in Alibaba Cloud's PostgreSQL Databases
A chain of two critical flaws has been disclosed in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers.
"The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers' PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services," cloud security firm Wiz said in a new report shared with The Hacker News.
The issues, dubbed BrokenSesame, were reported to Alibaba Cloud in December 2022, following mitigations were deployed by the company on April 12, 2023. There is no evidence to suggest that the weaknesses were exploited in the wild.
In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server.
Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.
"The credentials used to pull images were not scoped correctly and allowed push permissions, laying the foundation for a supply-chain attack," Wiz researchers Ronen Shustin and Shir Tamari said.
This is not the first time PostgreSQL vulnerabilities have been identified in cloud services. Last year, Wiz uncovered similar issues in Azure Database for PostgreSQL Flexible Server (ExtraReplica) and IBM Cloud Databases for PostgreSQL (Hell's Keychain).
Source: thehackernews.com
Bạn cũng có thể quan tâm
John&Partners, LLC. Cybersecurity
7443 Brompton, Houston, Texas 77025 , USA