Researchers disclosed two significant flaws in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL.
Researchers from cloud security firm Wiz discovered two significant flaws collectively known as BrokenSesame in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL.
ApsaraDB RDS is a managed database hosting service and AnalyticDB for PostgreSQL is a managed data warehousing service.
By linking the two vulnerabilities, an attacker could breach tenant isolation protection and access data belonging to other users.
“Wiz Research discovered a chain of critical vulnerabilities in two popular Alibaba Cloud services: ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL. Dubbed #BrokenSesame, the vulnerability potentially allowed unauthorized access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform supply chain attacks against both Alibaba database services. Leads to RCE for Alibaba database service.” reads advice Published by Wiz.
Experts focused their analysis on devising attack techniques to break cloud isolation by bypassing security perimeters implemented by cloud providers and accessing sensitive data of other customers.
The two vulnerabilities are an elevation of privilege in AnalyticDB and a remote code execution flaw in ApsaraDB RDS. By linking the two vulnerabilities, an attacker could elevate to root within a container, then escape to a Kubernetes node and gain unauthorized access to the API server.
After gaining access to the K8s API server, researchers cubelet Credentials to inspect various cluster resources including secrets, service accounts, and pods.
“Access the K8s API server to cubelet Credentials to inspect various cluster resources including secrets, service accounts, and pods. When reviewing the list of pods, it found pods belonging to different tenants in the same cluster. This indicates that Alibaba Cloud has designed its clusters for multi-tenancy. That means you can potentially gain cross-tenant access to these pods.” Read the analysis.
When testing credentials against container image registries, Researchers found that it had write access. An attacker with write access can overwrite container images and potentially perform supply chain attacks on images of entire services and other services.
Wiz reported the flaw to Alibaba Cloud in December 2022, and the company fixed it on April 12, 2023. The good news is that there is no evidence that these vulnerabilities have been exploited in real-world attacks.
“76% of organizations do not implement MFA. [multi-factor authentication] For console users, 58% of organizations do not enforce MFA for root/admin users,” the cybersecurity firm said.
Vote for Security Affairs (https://securityaffairs.com/) for Best European Cybersecurity Blogger Awards 2022 – Vote for your winners
Vote for me in the section:
- Teachers – Most Educational Blogs
- The Entertainer – the funniest blog ever
- The Tech Whiz – The Best Tech Blog
- Best social media accounts to follow (@securityaffairs)
Make Security Affairs your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, alibaba cloud)
share