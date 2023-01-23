A new critical vulnerability Remote Control Execution (RCE) found to impact multiple Microsoft Azure-related services could be exploited by a malicious actor to take complete control of an application.

It should be noted that it is not the first time that this service has been at the center of a “scandal” related to a bug.

“Vulnerability is achieved through CSRF extension (cross-site request forgery) on the ubiquitous SCM Kudu service“, has stated Hermetic researcher Liv Matan in a report. “By abusing the vulnerability, attackers could deploy malicious ZIP files containing a payload into the victim’s Azure application.”

The Israeli cloud infrastructure security company, which dubbed the flaw Emoji Deploysaid it could further allow sensitive data theft and lateral movement to other Microsoft Azure services.

But don’t panic! The Microsoft Azure vulnerability was fixed in time

Since then Microsoft fixed the vulnerability as of December 6, 2022following the responsible disclosure on October 26, 2022, as well as awarding a bounty of $ 30,000 for anyone who “catch” the bug (yes, there are bounty hunters who specialize in this too …).

Windows manufacturer describes Kudu as the “engine behind a number of features in Azure App Service related to deployment, based on source control and other deployment methods such as [ad esempio] Dropbox and OneDrive sync“.

In a hypothetical series of hacker attacks theorized by Ermetic, an adversary could exploit the CSRF vulnerability in the Kudu SCM panel to defeat the security measures put in place to thwart the attacks from several sources (cross-origin) by sending a specially crafted request to the “/api/zipdeploy” endpoint to deliver a malicious archive (e.g. Web shell, but ZIP and RAR are also archives) and gain remote access.

Cross-site (from different sites) request forging, also known as sea ​​surfing or session ridingis an attack vector whereby an attacker tricks an authenticated user of a web application into unknowingly executing unauthorized commands.

The ZIP file, for its part, is encoded in the body of the HTTP request, prompting the victim (via the application, to be precise) to navigate to a domain under the control of the attacker on duty, which hosts the malware via the bypass of the origin itself (same-origin policy) of the server.

“The impact of the vulnerability on the organization as a whole depends on the permissions [e] of application managed identity“, the company said. “The effective application of the principle of least privilege [autorizzazioni] can significantly limit the radius of the explosion“.

The findings come days after Orca Security disclosed four instances of SSRF attacks (server-side request forgery) that impacted Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

I use Microsoft Azure regularly, should I be concerned?

As mentioned absolutely not!

As you may have noticed, very often the fixing of these bugs, or rather the news of the bug fixing it often appears some time after the actual resolution, just so as not to alarm users.

In any case no, you can continue to use Microsoft Azure without problems there is no danger.

If in case you don’t know what Microsoft Azure is, you can consult this link to give you an idea, but in short it is a cloud computing platform.