Home Security Two Essential Flaws Present in Alibaba Cloud’s PostgreSQL Databases

Two Essential Flaws Present in Alibaba Cloud’s PostgreSQL Databases

by crpt os


Apr 20, 2023Ravie LakshmananCloud Security / Vulnerability

A chain of two critical flaws has been disclosed in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers.

“The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services,” cloud security firm Wiz said in a new report shared with The Hacker News.

The issues, dubbed BrokenSesame, were reported to Alibaba Cloud in December 2022, following mitigations were deployed by the company on April 12, 2023. There is no evidence to suggest that the weaknesses were exploited in the wild.

In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server.

Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

Alibaba Cloud PostgreSQL Databases

“The credentials used to pull images were not scoped correctly and allowed push permissions, laying the foundation for a supply-chain attack,” Wiz researchers Ronen Shustin and Shir Tamari said.

This is not the first time PostgreSQL vulnerabilities have been identified in cloud services. Last year, Wiz uncovered similar issues in Azure Database for PostgreSQL Flexible Server (ExtraReplica) and IBM Cloud Databases for PostgreSQL (Hell’s Keychain).

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The findings come as Palo Alto Networks Unit 42, in its Cloud Threat Report, revealed that “threat actors have become adept at exploiting common, everyday issues in the cloud,” including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious open source software (OSS) packages.

“76% of organizations don’t enforce MFA [multi-factor authentication] for console users, while 58% of organizations don’t enforce MFA for root/admin users,” the cybersecurity firm said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex