A serious critical vulnerability has been identified within multiple Microsoft Azure services, potentially allowing malicious actors to gain complete control over targeted applications. The flaw, characterized as a remote code execution (RCE) issue, was highlighted in a report by Ermetic researcher Liv Matan and has significant implications for Azure users.
The core of the vulnerability stems from cross-site request forgery (CSRF) issues within the widely utilized SCM service, Kudu. Matan stated, “Attackers could exploit this vulnerability to deploy malicious ZIP files containing harmful payloads onto a victim’s Azure application.” This exploitation method not only compromises the integrity of the application but could also facilitate the unauthorized access to sensitive data and lateral movement across other services within Azure’s ecosystem.
Ermetic, an Israeli firm specializing in cloud infrastructure security, has dubbed this vulnerability “EmojiDeploy.” They believe that the exploit could further pave the way for attackers to pilfer sensitive information and navigate through various Azure services without detection. As a direct result of responsible disclosure, Microsoft successfully resolved this flaw by December 6, 2022, after initially being alerted on October 26, 2022. In recognition of the critical finding, the tech giant awarded a bug bounty of $30,000.
Describing Kudu’s function, Microsoft notes that it operates as the backbone for various features in Azure App Service tied to source control and multiple deployment methods. This underlines the critical need for businesses utilizing Azure to remain vigilant regarding the security of their applications.
In a hypothetical scenario presented by Ermetic, a cyber adversary could leverage the CSRF vulnerability within the Kudu panel to bypass established safeguards that protect against cross-origin attacks. By sending a crafted request to the “/api/zipdeploy” endpoint, attackers could deliver a malicious archive, such as a web shell, ultimately granting them remote access and compromising user data.
CSRF, often referred to as session riding, is a form of attack where an authenticated user is manipulated into executing unauthorized commands within a web application. In this case, the attackers would encode the malicious ZIP file in the HTTP request body, tricking the victim application into navigating to a domain controlled by the threat actor and facilitating the attack through a bypass of the server’s same-origin policy.
The overall impact of such a vulnerability on an organization will largely depend on the permissions associated with the application’s managed identity. Adopting and effectively implementing the principle of least privilege can play a significant role in reducing the potential damage caused by such incidents. The implications are substantial, especially given that these findings emerged shortly after another report highlighted four significant server-side request forgery (SSRF) vulnerabilities within Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
Understanding the tactics outlined in the MITRE ATT&CK framework is crucial for recognizing the methods likely employed in such attacks. Potential adversary tactics include initial access via CSRF, persistence through remote access tools, and privilege escalation, all of which underscore the complexity and severity of the current threat landscape facing Azure users.