Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Privilege Escalation Flaw. Show all posts

ExtraReplica: Microsoft Patches Cross-Tenant Bug in Azure PostgreSQL

 

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.

A New LPE Zero-day Vulnerability Affected All Windows Versions

 

A security researcher has revealed technical specifics about a zero-day privilege elevation vulnerability in Windows, as well as a public proof-of-concept (PoC) attack that grants SYSTEM rights under specific settings. 

The good news is that because the exploit needs a threat actor to know another user's user name and password in order to trigger the vulnerability, it is unlikely to be extensively employed in attacks. The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. 

In August, Microsoft announced a security patch for a "Windows User Profile Service Elevation of Privilege Vulnerability" identified as CVE-2021-34484 by security researcher Abdelhamid Naceri. After investigating the fix, Naceri discovered that it was insufficient and he was able to circumvent it with a new exploit that he disclosed on GitHub. 

Naceria explained in a technical writeup about the vulnerability and the new bypass, "Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction. But as I see from the ZDI advisory and Microsoft patch, the bug was metered as an arbitrary directory deletion bug. Microsoft didn’t patch what was provided in the report but the impact of the PoC. Since the PoC I wrote before was horrible, it could only reproduce a directory deletion bug." 

According to Naceri, since they just rectified the symptom of his bug report and not the root cause, he could rewrite his exploit to establish a junction somewhere and still accomplish privilege elevation. This exploit will open an elevated command prompt with SYSTEM privileges while the User Account Control (UAC) prompt is shown. 

Will Dormann, a CERT/CC vulnerability analyst, examined the vulnerability and discovered that, while it functioned, it was temperamental and did not always establish the elevated command prompt. 

Dormann told BleepingComputer, "Definitely still a problem. And there may be scenarios where it can be abused. But the 2 account requirement probably puts it in the boat of NOT being something that will have widespread use in the wild." 

However, Naceri told BleepingComputer that a threat actor essentially requires another domain account to exploit the vulnerability, thus it is still a cause for concern. 

A Microsoft spokesperson stated, “We are aware of the report and will take appropriate action to keep customers protected.”

New Windows and Linux Flaws: Provide Attackers Highest System Privileges

 

Two new vulnerabilities, one in Windows and the other in Linux, were discovered on Tuesday, allowing hackers with a presence in a vulnerable machine to circumvent OS security limits and access critical resources. 

Microsoft's Windows 10 and upcoming Windows 11 versions have been discovered to be vulnerable to a new local privilege escalation vulnerability that allows users with low-level permissions to access Windows system files, permitting them to decrypt private keys and uncover the operating system installation password. The vulnerability has been named "SeriousSAM".

CERT Coordination Center (CERT/CC) stated in a vulnerability note published, "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files. This can allow for local privilege escalation (LPE)." 

The operating system configuration files in question are as follows - 

c:\Windows\System32\config\sam 
c:\Windows\System32\config\system 
c:\Windows\System32\config\security 

Microsoft acknowledged the vulnerability, which has been assigned the number CVE-2021-36934 but is yet to offer a patch or provide a timeframe for when a fix will be released. 

The Windows makers explained, "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

However, successful exploitation of the issue implies that the attacker has already gained a foothold and has the capacity to execute code on the target machine. In the meanwhile, users should restrict entry to sam, system, and security files and erase VSS shadow copies of the system disc, according to the CERT/CC. 

Since the release of Patch Tuesday updates on July 13, this is also the third publicly documented unpatched issue in Windows. Apart from CVE-2021-36934, two other vulnerabilities in the Print Spooler component have been identified, leading Microsoft to advise all users to halt and terminate the service to protect their computers from exploitation. 

"Sequoia" privilege escalation flaw affected Linux distros:

Remediations have been issued for a security shortcoming affecting all Linux kernel versions from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges. 

The vulnerability, nicknamed "Sequoia" by Qualys researchers, has been issued the identifier CVE-2021-33909 and affects default Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation installations. The issue also affects Red Hat Enterprise Linux versions 6, 7, and 8. 

The vulnerability is a size t-to-int type conversion flaw in the Linux Kernel's "seq file" file system interface, which allows an unprivileged local intruder to generate, install, and delete a deep directory structure with a total path length of more than 1GB, resulting in a privilege escalation on the vulnerable host. 

According to Qualys, unprivileged attackers could use a stack exhaustion denial-of-service vulnerability in the system (CVE-2021-33910) to corrupt the software suite and induce a kernel panic.