Accidental ‘write’ Permissions In Alibaba PostgreSQL Let Attackers Access Sensitive Data

Two new critical flaws have been found in Alibaba Cloud’s popular services, ApsaraDB and AnalyticDB.

Both of them were in support of PostgreSQL. Wiz security research team has termed this vulnerability as #BrokenSesame. 

One of these vulnerabilities performs Supply-Chain attacks on the database services leading to an RCE.

Another was potential unauthorized access to Alibaba’s Cloud customers’ PostgreSQL databases.

Critical Flaws

The critical flaws in Alibaba Cloud services existed in the Kubernetes Clusters (K8s).

1. K8s node compromised – Researchers found that K8s applications were not appropriately isolated, leading to a few insecure behaviors.
2. They performed a privilege escalation with a cronjob task which elevated their privileges inside the container to root.

As a root user, they tried to do a lateral move to another container on their pod by exploiting a shared PID namespace which led to escaping to the K8s node.

Once they went to the node, they used Kubelet credentials to access secrets, service accounts, and pods.

2. Supply chain due to write permissions on container image registry – When accessing the pods on the nodes, Wiz’s research team found that it was a shared node with pods belonging to other tenants on the node.

They also found a private image registry and tested some credentials which led to the discovery of write permissions on the container images.

This write permission can be used for supply-chain attacks due to a compromised k8s node.

These attacks were possible on ApsaraDB and AnalyticDB for PostgreSQL on Alibaba Cloud.

Handling multiple containers can be a tedious job. Hence, having better security implications in place is recommended.

These critical flaws show that the isolation of containers needs to be much more securely configured without letting these kinds of escapes to the k8s.

Researchers demonstrated vulnerability exploitation in AnalyticDB for PostgreSQL and ApsaraDB RDS for PostgreSQL could result in unauthorized cross-tenant access to customers’ PostgreSQL databases and a supply-chain attack.

You can read a complete technical analysis here at Wiz.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus