Pwning Cloud Vendors with Untraditional PostgreSQL Vulnerabilities

The presentation discusses vulnerabilities in managed database services and the need for better security measures.

• Managed database services are vulnerable to attacks due to their multi-tenant nature and simple permission models
• Cloud providers modify open source database solutions to provide admin capabilities while protecting the underlying compute
• Modifications can introduce new vulnerabilities and potential attack surfaces
• The presentation highlights vulnerabilities in Google Cloud SQL and demonstrates how to execute code via SQL queries
• Better security measures are needed to protect managed database services

The presenters discovered vulnerabilities in Google Cloud SQL and were able to execute code via SQL queries. They found that managed database services are vulnerable due to their multi-tenant nature and simple permission models. Cloud providers modify open source database solutions to provide admin capabilities while protecting the underlying compute, but these modifications can introduce new vulnerabilities and potential attack surfaces. The presenters emphasize the need for better security measures to protect managed database services.

Cloud service providers often provide popular and beloved open-source solutions as multi-tenant managed services. This is a significant power of the cloud - to offer anything as a scalable, managed service. However, these projects were not built with multi-tenancy in mind, and therefore, their adoption relies on multiple modifications and adjustments by the cloud vendor.Our team explored PostgreSQL-as-a-Service offered by multiple cloud providers and found a series of vulnerabilities related to its implementation as a multi-tenant service, including severe isolation issues. The impact of these vulnerabilities can be wide-reaching as they may become the starting point for a cross-account access attack; as we recently demonstrated in the “ExtraReplica” vulnerability, a Postgres vulnerability leads to cross-account access of customer databases in Azure Postgres Flexible server service. This is the first-of-a-kind cloud implementation vulnerability in a platform-as-a-service offering, affecting multiple cloud providers simultaneously. In this session, we will explain the Postgres vulnerabilities and how they lead us to find cloud isolation vulnerabilities. We will also peek at the services' internals, which we were privileged to see after executing our code on the platform. We will explain how we used these vulnerabilities as a first step within a vulnerability chain and performed lateral movement within the internal cloud network, finally achieving cross-account access to other customers' databases.We will discuss the learnings and implications of this research for cloud providers and customers using database-as-a-service. We will provide advice for future Postgres-as-a-Service implementations as well as other adaptations of open-source projects to PaaS and review critical design considerations to avoid similar issues. Finally, we will provide customers with risk mitigation strategies to reduce the risk of these attacks.