Full Report
How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.
Analysis Summary
# Vulnerability: Cloud Provider Modifications Leading to Remote Code Execution in Managed PostgreSQL Services
## CVE Details
- CVE ID: Not explicitly provided for all combined findings, but **ExtraReplica** concerning Azure Database for PostgreSQL (Flexible Server) was disclosed in April 2022. Specific CVEs for the newly detailed GCP findings are not listed in this summary.
- CVSS Score: Not explicitly provided.
- CWE: Likely related to CWE-264 (Permissions, Privileges, and Access Controls) or CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) depending on the specific execution flaw.
## Affected Systems
- Products:
- Azure Database for PostgreSQL (Flexible Server)
- Google Cloud Platform (GCP) Cloud SQL (PostgreSQL offering)
- Versions: Not explicitly specified, affecting versions where CSP-introduced modifications exist.
- Configurations: Managed PostgreSQL-as-a-Service offerings where cloud providers modified the PostgreSQL source code or added custom configurations/extensions to facilitate multi-tenancy adjustments.
## Vulnerability Description
Multiple major Cloud Service Providers (CSPs) introduced modifications (either source code forks or custom extensions/configurations) to the open-source PostgreSQL project to adapt it for their multi-tenant managed database environments. These modifications, intended to grant users semi-administrative powers (like creating event triggers or loading extensions) while restricting filesystem access, contained exploitable flaws. These vulnerabilities allowed researchers to execute arbitrary commands on the vendor-managed compute instances hosting the database engines, effectively gaining an initial foothold within the CSP infrastructure. In the case of Azure PostgreSQL specifically, this could lead to unauthorized cross-tenant data access.
## Exploitation
- Status: Detailed exploitation was performed by Wiz Research in lab environments. The Azure vulnerability (**ExtraReplica**) was previously disclosed (April 2022). The GCP findings detailed here represent successful exploitation for an initial foothold.
- Complexity: Implied to be **Medium** to **High** given it requires understanding highly specific vendor customizations to achieve RCE/foothold.
- Attack Vector: Likely **Local** (via database user privileges) leading to **Network** access on the underlying infrastructure.
## Impact
- Confidentiality: **High** (Potential for unauthorized cross-tenant data access in lax isolation scenarios like Azure).
- Integrity: **High** (Ability to execute arbitrary commands on the host system).
- Availability: **Medium to High** (Ability to disrupt service on the affected instance).
## Remediation
### Patches
- **Azure Database for PostgreSQL (Flexible Server):** Issues related to ExtraReplica were addressed following the April 2022 disclosure.
- **Google Cloud Platform Cloud SQL:** Specific patches for the newly detailed vulnerabilities are not listed, but the announcement implies remediation efforts are underway or completed.
- **General:** The article notes that some providers are releasing hardenings as open-source projects, which centralizes CVE tracking and fixes.
### Workarounds
- While no specific technical workarounds are provided in this excerpt, the primary mitigation discussed is the **enforcement of strict tenant isolation**. Services that maintain stronger isolation models (like GCP Cloud SQL in the researcher's assessment) exhibit lower impact even if the underlying vulnerability is exploitable.
## Detection
- Currently, specific Indicators of Compromise (IOCs) related to the newly detailed GCP findings are not provided.
- **Detection Strategy:** Focus on monitoring for unusual activity originating from database user sessions that leverage customized permissions (e.g., attempts to interact unusually with extensions, triggers, or system configurations beyond standard DB operations). Monitoring the underlying vendor-managed compute instances for unauthorized command executions is crucial if the vulnerability is successfully exploited.
## References
- Vendor advisories (Specific advisories for the new GCP findings are implied to follow or be covered by vendor coordination).
- Regarding Azure ExtraReplica: Previously disclosed in April 2022.
- Relevant links - defanged:
- Wiz Blog Post discussing ExtraReplica: hxxps://www.wiz.io/blog/wiz-research-discovers-extrareplica-cross-account-database-vulnerability-in-azure-postgresql/