Pwning Cloud Vendors with Untraditional PostgreSQL Vulnerabilities

Presented at Black Hat USA 2022, Aug. 11, 2022, 11:20 a.m. (40 minutes)

<div><span>Cloud service providers often provide popular and beloved open-source solutions as multi-tenant managed services. This is a significant power of the cloud - to offer anything as a scalable, managed service. However, these projects were not built with multi-tenancy in mind, and therefore, their adoption relies on multiple modifications and adjustments by the cloud vendor.</span></div><div><span><br></span></div><div><span>Our team explored PostgreSQL-as-a-Service offered by multiple cloud providers and found a series of vulnerabilities related to its implementation as a multi-tenant service, including severe isolation issues. The impact of these vulnerabilities can be wide-reaching as they may become the starting point for a cross-account access attack; as we recently demonstrated in the “ExtraReplica” vulnerability, a Postgres vulnerability leads to cross-account access of customer databases in Azure Postgres Flexible server service. </span></div><div><span><br></span></div><div><span>This is the first-of-a-kind cloud implementation vulnerability in a platform-as-a-service offering, affecting multiple cloud providers simultaneously. </span></div><div><span><br></span></div><div><span>In this session, we will explain the Postgres vulnerabilities and how they lead us to find cloud isolation vulnerabilities. We will also peek at the services' internals, which we were privileged to see after executing our code on the platform. We will explain how we used these vulnerabilities as a first step within a vulnerability chain and performed lateral movement within the internal cloud network, finally achieving cross-account access to other customers' databases.</span></div><div><span><br></span></div><div><span>We will discuss the learnings and implications of this research for cloud providers and customers using database-as-a-service. We will provide advice for future Postgres-as-a-Service implementations as well as other adaptations of open-source projects to PaaS and review critical design considerations to avoid similar issues. Finally, we will provide customers with risk mitigation strategies to reduce the risk of these attacks.</span></div>

Presenters:

• Nir Ohfeld - Security Researcher, Wiz
  Nir Ohfeld is a security researcher from Israel. Nir currently does cloud-related security research at Wiz. Nir specializes in the exploitation of web applications, application security and in finding vulnerabilities in complex high-level systems.
• Shir Tamari - Head of Research, Wiz
  Shir Tamari is an experienced security and technology researcher specializing in vulnerability research and practical hacking. Shir is Head of Research at the cloud security company Wiz. In the past, he served as a consultant to a variety of security companies in the fields of research, development and product. Shir is also a member of the 5BC CTF team.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#pwning-cloud-vendors-with-untraditional-postgresql-vulnerabilities-26964

Similar Presentations:

• Black Hat USA 2021 / Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics
• Black Hat Asia 2021 Virtual / "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
• Black Hat Asia 2021 Virtual / Wideshears: Investigating and Breaking Widevine on QTEE