Heimdal
article featured image

Contents:

Microsoft Azure has discovered a critical remote code execution (RCE) flaw that could allow a malicious actor to control a targeted application completely.

According to Ermetic researcher Liv Matan, attackers can exploit the vulnerability by deploying malicious ZIP files containing a payload to the victim’s Azure application using CSRF (cross-site request forgery).

Security firm EmojiDeploy, based in Israel, warned the shortcoming could allow the theft of sensitive data and lateral movement to other Azure services.

Following responsible disclosure on October 26, 2022, Microsoft has since fixed the vulnerability, and a bug bounty of $30,000 has been awarded.

As described by Microsoft, Kudu powers several Azure App Service features, including source control-based deployment and Dropbox and OneDrive sync.

By issuing a specially crafted request to the “/API/zip deploy” endpoint to deliver a malicious archive (such as web shells) and gain remote access, an adversary could defeat the safeguards to prevent cross-origin attacks in a hypothetical attack chain devised by Ermetic.

An attack vector called cross-site request forgery, attack surface, or session riding occurs when a threat actor tricks an authenticated user into executing unauthorized access and commands.

The ZIP file is embedded in the HTTP request body through the server’s same-origin policy bypass, causing the victim application to navigate to an actor-controlled domain hosting the malware.

The company said that using the principle of least privilege effectively can significantly reduce the blast radius. The impact of the vulnerability on the organization as a whole depends on how permissions are managed.

It comes days after Orca Security reported four instances of server-side request forgery (SSRF) attacks affecting Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics. 

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE