A series of two critical vulnerabilities have been exposed in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access other customers’ sensitive data.
“The vulnerability could potentially allow unauthorized access to Alibaba Cloud’s customer PostgreSQL database and the ability to perform supply chain attacks on both of Alibaba’s database services, leading to RCE on Alibaba’s database service,” cloud security firm Wiz said in a new report shared with The Hacker News.
That problemnicknamed BrokenSesamereported to Alibaba Cloud in December 2022, following the mitigation implemented by the company on April 12, 2023. There is no evidence to suggest that the vulnerability was wildly exploited.
In short, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – allow elevated privileges to root within the container, escape to the underlying Kubernetes nodes, and ultimately gain unauthorized access to the API server.
Armed with this capability, an attacker can retrieve credentials associated with the container registry from an API server and push a malicious image to gain control of another tenant’s customer database on the shared node.
“The credentials used to pull the image were not properly scoped and allowed push permissions, laying the groundwork for a supply chain attack,” said researchers Wiz Ronen Shustin and Shir Tamari.
This is not the first time a PostgreSQL vulnerability has been identified in a cloud service. Last year, Wiz encountered a similar issue in Azure Database for PostgreSQL Flexible Server (ExtraReplica) and IBM Cloud Databases for PostgreSQL (Hell’s Keychain).
The find appears as Palo Alto Networks Unit 42, within Cloud Threat Reportdisclosed that “threat actors have become adept at exploiting common, everyday problems in the cloud,” including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities, and malicious open source software (OSS) packages.
“76% of organizations do not implement MFA (multi-factor authentication) for console users, while 58% of organizations do not implement MFA for root/admin users,” said the cybersecurity firm.