Microsoft has fixed 32 vulnerabilities in the Azure Site Recovery (ASR) suite that could have allowed attackers to gain elevated privileges or perform remote code execution. The Azure Site Recovery Service is a disaster recovery service that will automatically fail-over workloads to secondary locations when a problem is detected. Microsoft found that SQL injection vulnerabilities caused most of the privilege escalation bugs, and that CVE-2022-33675 was caused by a DLL hijacking vulnerability. Discovered by Tenable, the DLL hijacking vulnerability has a CVSS v3 severity rating of 7.8. This attack exploits the way some Windows applications search and load DLLs. A threat actor can perform this attack by disguising a malicious DLL as a legitimate DLL and store it in a folder for it to be searched and installed by Windows. Tenable also found that the “cxprocessserver” service of ASR runs with SYSTEM level privileges by default, and its executable lies in a directory that has been incorrectly set to allow ‘write’ permissions to any user. Normal users can plant malicious DLLs in the directory and when the “cxprocessserver” process begins, it will execute any of its commands with SYSTEM privileges. Although an outdated technique, the ability to provide a user with SYSTEM privileges adds to the complexities in the cloud space.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is