Pwning Cloud Vendors with Untraditional PostgreSQL Vulnerabilities presented at Black Hat USA 2022

by Shir Ohfeld,

Tags: Cloud & Platform Security Exploit Development

Summary : Cloud service providers often provide popular and beloved open-source solutions as multi-tenant managed services. This is a significant power of the cloud - to offer anything as a scalable, managed service. However, these projects were not built with multi-tenancy in mind, and therefore, their adoption relies on multiple modifications and adjustments by the cloud vendor.Our team explored PostgreSQL-as-a-Service offered by multiple cloud providers and found a series of vulnerabilities related to its implementation as a multi-tenant service, including severe isolation issues. The impact of these vulnerabilities can be wide-reaching as they may become the starting point for a cross-account access attack; as we recently demonstrated in the “ExtraReplica” vulnerability, a Postgres vulnerability leads to cross-account access of customer databases in Azure Postgres Flexible server service. This is the first-of-a-kind cloud implementation vulnerability in a platform-as-a-service offering, affecting multiple cloud providers simultaneously. In this session, we will explain the Postgres vulnerabilities and how they lead us to find cloud isolation vulnerabilities. We will also peek at the services' internals, which we were privileged to see after executing our code on the platform. We will explain how we used these vulnerabilities as a first step within a vulnerability chain and performed lateral movement within the internal cloud network, finally achieving cross-account access to other customers' databases.We will discuss the learnings and implications of this research for cloud providers and customers using database-as-a-service. We will provide advice for future Postgres-as-a-Service implementations as well as other adaptations of open-source projects to PaaS and review critical design considerations to avoid similar issues. Finally, we will provide customers with risk mitigation strategies to reduce the risk of these attacks.