Recent discoveries have unveiled a series of critical vulnerabilities affecting Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL. These flaws pose significant risks by potentially enabling unauthorized access to sensitive data across tenant environments.
According to a report by cloud security firm Wiz, these vulnerabilities could have allowed attackers to breach tenants’ isolation protections, leading to unauthorized access to customer PostgreSQL databases. Moreover, the weaknesses could facilitate a supply chain attack on Alibaba’s database services, culminating in remote code execution (RCE) vulnerabilities within the system.
Referred to as the “BrokenSesame” vulnerabilities, these issues were initially reported to Alibaba Cloud in December 2022. The company implemented mitigation measures on April 12, 2023. Fortunately, there is currently no evidence suggesting that these vulnerabilities were exploited maliciously in real-world scenarios.
The vulnerabilities encompass a privilege escalation flaw within AnalyticDB and a RCE bug in ApsaraDB RDS. Exploiting these weaknesses could permit an attacker to elevate privileges to root within the container, escape to the underlying Kubernetes node, and gain unauthorized access to the API server.
This elevated access allows an attacker to retrieve critical credentials related to container registries from the API server, making it possible to push malicious images and thereby compromising databases belonging to other tenants sharing the same infrastructure.
Wiz researchers noted that the credentials for pulling images were improperly scoped, allowing push permissions, which essentially opens the door for a comprehensive supply-chain attack.
This incident is not isolated; similar PostgreSQL vulnerabilities have been identified in other cloud services previously. Notably, Wiz reported analogous issues in Azure Database for PostgreSQL and IBM Cloud Databases for PostgreSQL last year.
The findings align with broader trends observed in cybersecurity, where Palo Alto Networks’ Unit 42 highlights that cybercriminals are increasingly adept at exploiting common vulnerabilities within cloud environments. These include misconfigurations, weak credentials, and unpatched vulnerabilities that can facilitate attacks. The report indicates that a significant percentage of organizations are not enforcing multi-factor authentication (MFA), which could further expose them to potential breaches.
In summary, the vulnerabilities associated with Alibaba Cloud’s database services illustrate critical risks in multi-tenant cloud environments. These incidents serve as a reminder for business owners to remain vigilant regarding their cloud security posture and to implement stringent access controls and authentication measures to mitigate risks.