A new critical remote code execution (RCE) flaw that was discovered affecting multiple services related to Microsoft Azure could be exploited by malicious actors to gain complete control over the targeted application. I have.
“This vulnerability is achieved through CSRF (cross-site request forgery) in the ubiquitous SCM service Kudu,” Ermetic researcher Liv Matan said in a report shared with The Hacker News. increase. “By exploiting the vulnerability, an attacker could deploy a malicious ZIP file containing a payload to the victim’s Azure application.”
Israeli Cloud Infrastructure Security Firm Dubbed Flaws emoji deploysaid it could further enable the theft and lateral movement of sensitive data to other Azure services.
Microsoft has fixed the vulnerability and awarded a $30,000 bug bounty as of December 6, 2022, following a responsible disclosure on October 26, 2022.
Windows Maker describes Kudu as “the engine behind many features of Azure App Service related to source control-based deployments and other deployment methods such as Dropbox and OneDrive sync.”
In a hypothetical attack chain devised by Ermetic, an attacker exploits a CSRF vulnerability in the Kudu SCM panel to issue a specially crafted request to the “/api/zipdeploy” endpoint to launch a cross-origin attack. Safeguards put in place to stop it can be breached. Access a malicious archive (such as a web shell) to gain remote access.
The ZIP file, encoded in the body of the HTTP request, prompts the victim’s application to go to the actor-controlled domain hosting the malware via the server’s same-origin policy bypass.
Cross-site request forgery (also known as sea surfing or session riding) is an attack vector in which an attacker tricks an authenticated user of a web application into executing unauthorized commands on behalf of that user.
“The impact of the vulnerability across the organization depends on the permissions of the identities managed by the application,” the company said. “Effective application of the principle of least privilege can greatly limit the blast radius.”
The findings come days after Orca Security uncovered four instances of server-side request forgery (SSRF) attacks affecting Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
