Recent Vulnerabilities Found in Microsoft Azure Services
Cybersecurity researchers at Check Point recently unveiled critical vulnerabilities in Microsoft Azure services that, if exploited, could significantly compromise businesses utilizing the platform for their web and mobile applications. These vulnerabilities were swiftly addressed through patches, as outlined in a report shared with The Hacker News.
At the heart of Azure’s offering is the Azure App Service, a fully-managed solution allowing users to develop web and mobile applications across various platforms while seamlessly integrating with Software-as-a-Service (SaaS) and on-premises applications. However, the recent findings highlight potential risks that underscore the importance of constant vigilance in cybersecurity.
The first of the vulnerabilities, identified as CVE-2019-1234, pertains to a request spoofing flaw affecting Azure Stack, Microsoft’s hybrid cloud solution. This issue could have allowed unauthorized remote access to sensitive data, including screenshots and vital information from virtual machines running on Azure. Researchers noted that the exploitation path led through the Azure Stack Portal, the interface users rely on to manage their cloud resources.
By leveraging an unprotected API, attackers could ascertain critical details about a virtual machine, such as its name, ID, and hardware specifications, enabling them to execute unauthorized HTTP requests that retrieved sensitive visual data. The implications of such access could be severe, potentially exposing enterprise secrets stored within Azure infrastructure.
The second vulnerability, recognized as CVE-2019-1372, is a remote code execution vulnerability that affected Azure App Service on Azure Stack. This flaw posed a risk of complete control over the Azure server, effectively allowing an attacker to manipulate an organization’s business-critical code. The researchers observed that both vulnerabilities could be exploited by creating a free Azure Cloud account and executing harmful functions or unauthorized communication with the SSO portal.
Digging deeper into CVE-2019-1372, the flaw stemmed from a deficiency in how the DWASSVC service managed communications concerning tenant applications. The service, which orchestrates tasks related to Azure functions, failed to perform adequate buffer length checks. As a result, attackers could send maliciously crafted messages to initiate code execution with elevated privileges, emphasizing the lax security controls implemented in this aspect of Azure services.
Ronen Shustin, the Check Point researcher who uncovered these vulnerabilities, took proactive measures to disclose them to Microsoft, preventing potential exploitation that could lead to significant damage. Following the resolution of these issues, Microsoft recognized his contributions by awarding him $40,000 under its bug bounty program.
In this case, the targeted infrastructure was Microsoft’s Azure platform, which plays a pivotal role in the operations of countless U.S.-based businesses. Threat actors could have employed various tactics covered in the MITRE ATT&CK framework to execute their plans. Techniques such as initial access through unprotected APIs, privilege escalation via remote code execution, and maintaining persistence to facilitate ongoing exploitation reflect the sophisticated nature of these vulnerabilities and the approaches hackers might adopt if left unaddressed.
As organizations increasingly rely on cloud services like Azure, the need for continuous security assessments and prompt updates becomes more critical than ever. The swift response from Microsoft serves as a reminder of the ever-evolving landscape of cybersecurity risks and the importance of proactive measures in safeguarding digital assets.