critical

BrokenSesame

Published Wed, Apr 19th, 2023
Platforms

Summary

ApsaraDB and AnalyticDB contained several vulnerabilities in their PostgreSQL offerings which ultimately allowed unauthorized access to other tenants' databases and the ability to perform a supply-chain attack on both services, which in turn would have allowed remote code execution (RCE) as well. Both services implemented multi-tenancy through a shared K8s cluster, but contained several bugs related to tenant isolation which an attacker could chain together to achieve the above impact. In ApsaraDB, these included privilege escalation to root in a container, a shared PID namespace enabling container escape, and write permissions granted to K8s nodes for a private container image registry utilized by both services. In AnalyticDB, the bugs included file disclosure, command line injection in a privileged container, and susceptibility to the core_pattern container escape technique.

Affected Services

ApsaraDB RDS for PostgreSQL, AnalyticDB for PostgreSQL

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Sun, Dec 4th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ronen Shustin, Shir Tamari, Wiz