By Randy Reiter CEO of Don’t Be Breached
April, 2022 Microsoft reported that vulnerabilities in its Azure Database for PostgreSQL could have let Hackers gain access to other customers’ databases after bypassing authentication. “By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases” the Microsoft Security Response Center reported.
The cloud security firm Wiz’s research team discovered the security vulnerabilities. An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database, says Ami Luttwak, co-founder and CTO at Wiz.
Microsoft said it mitigated the issue on Jan. 13, 2022, less than 48 hours after Wiz had notified it of the issue. Microsoft said its analysis showed no evidence of attackers having exploited the vulnerabilities to access customer data. Wiz said Microsoft awarded its researchers a $40,000 bug bounty — the amount can be viewed as confirmation of the vulnerability’s severity.
How to Have Exploited the Database Vulnerability
As explained by Microsoft, the Wiz researchers went through the following steps to gain elevated privileges and remote code execution, which allowed them to bypass cross-account authentication using a forged certificate and access other customers’ databases:
- Choose a target PostgreSQL Flexible Server.
- Retrieve the target’s common name from the Certificate Transparency feed.
- Purchase a specially crafted certificate from DigiCert or a DigiCert Intermediate Certificate Authority.
- Find the target’s Azure region by resolving the database domain name and matching it to one of Azure’s public IP ranges.
- Create an attacker-controlled database in the target’s Azure region.
- Exploit vulnerability #1 on the attacker-controlled instance to escalate privileges and gain code execution.
- Scan the subnet for the target instance and exploit vulnerability #2 to gain read access!
How to Prevent Data Exfiltration and Data Breaches in Todays Complex Environment
Multiple layers of data protection are required today to prevent Data Exfiltration and Data Breaches. In 2020 the DHS, Department of State, U.S. Marine Corps and the Missile Defense Agency recognized this and all issued requests for proposals (RFP) for network full packet data capture for Deep Packet Inspection analysis (DPI) of network traffic. This is an important step forward protecting confidential database data and organization information.
Zero-day vulnerabilities that allow hackers to gain system privileges are a major threat to all organizations encrypted and unencrypted confidential data. Confidential data includes: credit card, tax ID, medical, social media, corporate, manufacturing, trade secrets, law enforcement, defense, homeland security, power grid and public utility data. This confidential data is almost always stored in DB2, Informix, MariaDB, Microsoft SQL Server, MySQL, Oracle, PostgreSQL and SAP Sybase databases.
How to Stop Data Exfiltration and Data Breaches with Deep Packet Inspection
Protecting encrypted and unencrypted confidential database data is much more than securing databases, operating systems, applications and the network perimeter against Hackers, Rogue Insiders and Supply Chain Attacks.
Non-intrusive network sniffing technology can perform a real-time Deep Packet Inspection (DPI) of 100% the database activity from a network tap or proxy server with no impact on the database servers. The database SQL activity is very predictable. Database servers servicing 1,000 to 10,000 end-users typically process daily 2,000 to 10,000 unique queries or SQL commands that run millions of times a day. Deep Packet Analysis does not require logging into the monitored networks, servers or databases. This approach can provide CISOs with what they can rarely achieve. Total visibility into the database activity 24×7 and 100% protection of confidential database data.
Advanced SQL Behavioral Analysis from DPI Prevents Data Exfiltration and Data Breaches
Advanced SQL Behavioral Analysis of 100% of the real-time database SQL packets can learn what the normal database activity is. Now the database query and SQL activity can be non-intrusively monitored in real-time with DPI and non-normal SQL activity immediately pinpointed. This approach is inexpensive to setup and has a low cost of operation. Now non-normal database activity from Hackers, Rogue Insiders or and Supply Chain Attacks can be detected in a few milli seconds. The Security Team can be immediately notified and the Hacker session terminated so that confidential database data is not stolen, ransomed or sold on the Dark Web.
About the Author
Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools company. He is the architect of the Database Cyber Security Guard product, a database Data Breach prevention product for DB2, Informix, MariaDB, Microsoft SQL Server, MySQL, Oracle, PostgreSQL, and SAP Sybase databases. He has a Master’s Degree in Computer Science and has worked extensively over the past 25 years with real-time network sniffing and database security. Randy can be reached online at rreiter@DontBeBreached.com, www.DontBeBreached.com and www.SqlPower.com/Cyber-Attacks.