Microsoft has fixed 32 vulnerabilities in the Azure Site Recovery (ASR) suite that could have allowed attackers to gain elevated privileges or perform remote code execution. The Azure Site Recovery Service is a disaster recovery service that will automatically fail-over workloads to secondary locations when a problem is detected. Microsoft found that SQL injection vulnerabilities caused most of the privilege escalation bugs, and that CVE-2022-33675 was caused by a DLL hijacking vulnerability. Discovered by Tenable, the DLL hijacking vulnerability has a CVSS v3 severity rating of 7.8. This attack exploits the way some Windows applications search and load DLLs. A threat actor can perform this attack by disguising a malicious DLL as a legitimate DLL and store it in a folder for it to be searched and installed by Windows. Tenable also found that the “cxprocessserver” service of ASR runs with SYSTEM level privileges by default, and its executable lies in a directory that has been incorrectly set to allow ‘write’ permissions to any user. Normal users can plant malicious DLLs in the directory and when the “cxprocessserver” process begins, it will execute any of its commands with SYSTEM privileges. Although an outdated technique, the ability to provide a user with SYSTEM privileges adds to the complexities in the cloud space.
An attacker with admin-level privileges can change the OS security settings, make changes to user accounts, access all files on the system with no restrictions, and install additional software. ASR is widely used in corporate environments so this could be a weak point for many organizations. Threat actors could leverage the CVE-2002-33675 vulnerability as part of a ransomware attack to wipe backups and make data restoration impossible. Microsoft has published an advisory providing an overview of all the issues it has fixed in ASR this month. It is recommended to make sure all of the updates are installed. Those who are unable to apply the patches could manually minimize risk by changing the write permission setting on the impacted directory.