NSFOCUS Research Labs Acknowledged by MSRC for Reporting Azure Database Service RCE Vulnerability

NSFOCUS Research Labs Acknowledged by MSRC for Reporting Azure Database Service RCE Vulnerability

March 1, 2024 | NSFOCUS

Overview

NSFOCUS received acknowledgments from the Microsoft Security Response Center (MSRC) for reporting Azure Database Service RCE Vulnerability.

Azure Database for PostgreSQL – Flexible Server is a relational database service based on the open-source PostgreSQL database engine. It is a fully managed database-as-a-service that can handle mission-critical workloads, offering predictable performance, security, high availability, and dynamic scalability.

Research conducted by NSFOCUS Security Research Labs revealed a remote code execution (RCE) vulnerability in this database service. Malicious users can exploit this vulnerability to execute commands on the host machine where the database resides.

Note: The technical details discussed in this article are intended solely for educational and research purposes. Any unauthorized use is strictly prohibited.

The root cause of this vulnerability lies in a specific database plugin. Despite the database disabling certain program features, users can still leverage PostgreSQL User-Defined Functions (UDFs) to execute commands on the host machine.

Acknowledgments from MSRC
(The nickname “testtianma” corresponds to the awarded NSFOCUS security researcher.)

Vulnerability Tracking

Affected Service: Azure Database for PostgreSQL Flexible Server that allows installation of the specific plugin.

Impact: During the plugin installation process, functions called by the plugin can be hijacked by users. Malicious users can then elevate their privileges to superuser level and subsequently execute host machine system commands using PostgreSQL UDFs.

Timeline of Vulnerability Fix:

  • August 11, 2023: The vulnerability was reported.
  • August 12, 2023: MSRC acknowledged the vulnerability.
  • August 23, 2023: MSRC confirmed the vulnerability.
  • August 28, 2023: Remediation efforts began.
  • September 22, 2023: Fix confirmed.