A vulnerability in Microsoft Azure allowed customers to find and copy the databases of fellow customers.
Microsoft Azure Database for PostgreSQL Flexible Server is a widely used database service. Organizations assume that Microsoft shields their databases from fellow customers, also known as ‘tenant isolation’. The assumption is false. Security researchers from Wiz found a way to view and copy customer databases.
When creating an instance, customers are presented with two network options: public access and private access. When choosing public access, the server ends up in one of several internal Azure networks. Microsoft is supposed to guarantee privacy and security by shielding the network. Wiz created an instance and abused a vulnerability to monitor the databases of fellow customers in the same network. Eventually, the team managed to find and copy the database of another account.
In this case, the account belonged to Wiz. No one was harmed. A cybercriminal could have taken the same steps to steal entire databases from fellow customers. As far as Microsoft knows, the latter never happened. Nevertheless, the discovery points to a serious problem. Zero-day vulnerabilities occur everywhere, including services from the world’s largest providers.
Azure isn’t safe by definition. Configurations make the difference. The Wiz vulnerability has a number of limitations. The team did not find a way to crack databases configured with private access.
As mentioned earlier, every customer chooses between two network options when creating an instance: private access and public access. Private access is reserved for organizations running an Azure virtual network (VNet). When opting for private access, the database server is only accessible to systems in the same VNet, or systems that connect with a VPN. When opting for public access, the database is accessible via a public DNS address, which allows a range of connections.
Not everyone has the motivation or capacity to manage a VNet. Organizations without a VNet typically opt for public access. This is not necessarily a bad choice: public access instances can be configured securely as well. In this case, Microsoft was at fault. Wiz bypassed several security measures to find public access instances. Private access instances run in a private network, which is essentially untraceable from the outside.
Wiz informed Microsoft in January of this year. Microsoft was able to imitate the vulnerability and rewarded Wiz with 38,000 euros. The vulnerability was patched in February. Customers do not have to take action: the modifications have already been implemented.