Two vulnerabilities in Azure Stack that could have resulted in attackers gaining control over cloud servers or accessing client data without authorization were responsibly reported to Microsoft and patched in October and November of 2019. Now, researchers at Check Point have revealed the details of the vulnerabilities and how they could have been exploited if they were known to attackers prior to the patches being applied. The most potentially damaging remote code execution vulnerability, assigned CVE-2019-1372, allowed the complete takeover of servers in the Azure App Service on Azure Stack. Azure App Service is used to create web and mobile apps. An attacker with knowledge of this vulnerability could have used a free Azure Cloud user account to send a specially crafted message that causes the server to run malicious code of their choice in the context of the highest privilege level, NT AUTHORITY/SYSTEM. With SYSTEM level privileges, an attacker could take over the entire server. The other flaw, assigned CVE-2019-1234, allowed attackers using the Microsoft Azure Stack Portal to send an HTTP request without any authentication to steal information from any virtual machine on Azure infrastructure. Researchers demonstrated that exploiting this vulnerability allowed attackers to abuse the “GetVmScreenshot” function to take screenshots of any targeted Virtual Machine. If a user was logged on and interactively using the Azure virtual machine with any sensitive information on the screen at the same time that an attacker used this technique, the result could be damaging.
Because these vulnerabilities were reported responsibly to Microsoft, the patches have already been applied to Azure servers and there is no action required by clients who use Azure Stack. There is no indication that these vulnerabilities were used by attackers in the wild. If these vulnerabilities were discovered by a threat actor, the consequences could have been severe. When considering the implementation of cloud services, it is important to keep in mind that vulnerabilities can exist in the cloud provider’s underlying infrastructure that cannot be controlled by the client. Microsoft Azure has a well-defined process for reporting vulnerabilities and a bug-bounty program that encourages responsible disclosure. Organizations that offer any public-facing service should strongly consider the benefits of establishing a process for researchers to report vulnerabilities and a timeline for addressing reported problems.
For more information, see: https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html