According to researchers at Intezer Labs, there are two security flaws in Microsoft's Azure App Services that could enable an attacker to execute arbitrary code or carry out server-side request forgery (SSRF) attacks to take over the admin server.
The first flaw could enable an attacker with access to the server to take over the Azure App Service’s git repository and implant maliciously crafted pages accessible via the Azure Portal. While the second flaw allowed attackers with an existing low-severity vulnerability on the application (SSRF) to gain full code execution on the App Service and thus, trigger the first flaw.
Albeit, the the flaws were promptly reported to Microsoft since June, after which the company subsequently issued security fixes to address the vulnerabilities.
How the flaws in Azure App Services affect Linux
Azure deployments on Linux are managed by a service known as KuduLite, that offers diagnostic data about the system, which consists of a web interface to SSH into the application node (called "webssh").
The first flaw, which is a privilege escalation vulnerability allows for a takeover of KuduLite via hard-coded credentials ("root:Docker!") which makes it possible to SSH and log in as root, thereby enabling an attacker to completely control the Software Configuration Management (SCM) webserver.
And it could also enable an attacker to listen to a user's HTTP requests via the SCM web page, add their own pages, and inject malicious JavaScript into the user's web page.
Additionally, the second flaw that concerns with the way the application node sends requests to the KuduLite API, could also potentially allow a web app with an SSRF vulnerability to access the node's file system and steal sensitive assets.
How to Mitigate against the Flaws in Azure App Services
Microsoft was promptly contacted with the findings as part of responsive disclosure process and the vulnerabilities were quickly fixed.
However, it is recommended that users should resort to runtime cloud security as an important last line of defense if they detect malicious code injections and other threats that took place after a vulnerability has been exploited by an attacker.
No comments