Two Vulnerabilities Found in Microsoft Azure Infrastructure

  /     /     /  
Publicated : 23/11/2024   Category : security


Two Vulnerabilities Found in Microsoft Azure Infrastructure


Researchers detail the process of finding two flaws in the Azure Stack architecture and Azure App Service, both of which have been patched.



Check Point Research analysts who discovered two vulnerabilities in the Microsoft Azure cloud infrastructure have published the details of how these flaws were found and how attackers could potentially use them.
The research team began exploring Azure infrastructure in an effort to disprove the assumption that cloud infrastructures are secure, says security researcher Ronen Shustin in a
blog post
. Check Point informed Microsoft of the vulnerabilities as they were discovered throughout 2019; security patches were deployed for both flaws by the end of the year.
CVE-2019-1234
is a server-side request forgery bug in an on-prem Azure environment called Azure Stack, a hybrid cloud tool for enterprise use. A spoofing flaw exists when Azure Stack fails to validate certain requests. Attackers could exploit this by sending a crafted request to the Azure Stack portal; if successful, they could make requests to internal Azure Stack resources.
Researchers conducted this investigation by first installing the Azure Stack Development Kit (ASDK) on their own servers and mapping areas they thought they might find vulnerabilities. ASDK comes with a set of core components that can be extended via features like App Service and SQL Providers, among others. It has a limited number of features compared to the Azure cloud and usually runs software thats a couple of versions behind, researchers explain. Azure Stack shares similar features with the Azure public cloud, so they focused on those vectors.
One Azure Stack service they investigated was called DataService, which didnt require any authentication. This flaw could enable an attacker to obtain sensitive data belonging to any business with its machine running on Azure, whether its on a shared or isolated machine. They would first have to gain access to Azure Stack Portal and then send unauthenticated HTTP requests, which could provide screenshots and data about the tenants and infrastructure machines.
This vulnerability is only valid to the Azure Stack, which is also a very valid attack vector, said Yaniv Balmas, head of security research, in a meeting with reporters at last weeks CPX 360 event. Practically, if someone has a big Azure Stack with a lot of tenants, I can take screenshots of other machines. It could be dangerous; it could not be. It depends.
Remote code execution vulnerability
CVE-2019-1372
is in Azure App Service, which lets users build and host Web apps, mobile backends, and restful APIs in a programming language they choose without managing infrastructure. The bug exists when Azure Stack fails to check the length of a buffer before copying memory to it. An attacker could let an unprivileged function, run by the user, execute code in the context of NT AUTHORITY/system and escape the sandbox.
Attackers could use this vulnerability to compromise tenant applications, data, and accounts by creating a free user in the Azure Cloud and running malicious Azure functions. Alternatively, they
could send
unauthenticated HTTP requests to the Azure Stack user portal. If successful, they could potentially take control over the entire Azure server and the business code it holds.
[This] can give complete visibility into every workload running on the same server, said Balmas. [I] can modify them, I can delete them, I can do whatever I want.
In its research, Check Point only used this vulnerability to demonstrate how it could be exploited to crash the Dynamic WAS Service (DWASSVC). However, it could also be used for privilege escalation, they explain in a
blog post
about CVE-2019-1372.
Related Content:
6 Security Team Goals for DevSecOps in 2020
How to Secure Your IoT Ecosystem in the Age of 5G
Enterprise Hardware Still Vulnerable to Memory Lane Attacks
Assessing Cybersecurity Risk in Todays Enterprise
Check out 
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
7 Steps to IoT Security in 2020
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Two Vulnerabilities Found in Microsoft Azure Infrastructure