New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks
A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application.
"The vulnerability is achieved through?CSRF?(cross-site request forgery) on the ubiquitous SCM service Kudu," Ermetic researcher Liv Matan?said?in a report. "By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim's Azure application."
The Israeli cloud infrastructure security firm, which dubbed the shortcoming?EmojiDeploy, said it could further enable the theft of sensitive data and lateral movement to other Azure services.
Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000.
The Windows maker?describes?Kudu as the "engine behind a number of features in Azure App Service related to source control based deployment, and other deployment methods like Dropbox and OneDrive sync."
In a hypothetical attack chain devised by Ermetic, an adversary could exploit the CSRF vulnerability in the Kudu SCM panel to defeat safeguards put in place to thwart?cross-origin attacks?by issuing a specially crafted request to the "/api/zipdeploy" endpoint to deliver a malicious archive (e.g., web shell) and gain remote access.
Cross-site request forgery, also known as sea surf or session riding, is an attack vector whereby a threat actor tricks an authenticated user of a web application into executing unauthorized commands on their behalf.
The ZIP file, for its part, is encoded in the body of the HTTP request, prompting the victim application to navigate to an actor-control domain hosting the malware via the server's?same-origin policy?bypass.
"The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity," the company said. "Effectively applying the principle of least privilege can significantly limit the blast radius."
The findings come days after Orca Security?revealed?four instances of server-side request forgery (SSRF) attacks impacting Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer
2 年Thanks for sharing.
Network Engineer at Network Squad Ltd | Expert in Network Administration and Cloud | MCT | MLSA
2 年Thanks for the information about the critical RCE flaw discovered impacting multiple services related to Microsoft Azure. It is alarming that malicious actors could use this vulnerability to deploy malicious ZIP files containing a payload to the victim's Azure application and gain access to their sensitive data or move laterally to other Azure services. I'm grateful that Microsoft was able to fix this issue and reward the researcher with a bug bounty of $30,000. It's also important that organizations apply the principle of least privilege to limit the blast radius of the vulnerability. Unfortunately, this isn't the only security issue facing Azure users. Orca Security recently revealed four instances of server-side request forgery (SSRF) attacks impacting Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins. It's important that organizations take steps to protect their Azure applications and services and stay up to date on the latest security threats.