Microsoft Azure has discovered a critical remote code execution (RCE) flaw that could allow a malicious actor to control a targeted application completely.
According to Ermetic researcher Liv Matan, attackers can exploit the vulnerability by deploying malicious ZIP files containing a payload to the victim’s Azure application using CSRF (cross-site request forgery).
Security firm EmojiDeploy, based in Israel, warned the shortcoming could allow the theft of sensitive data and lateral movement to other Azure services.
Following responsible disclosure on October 26, 2022, Microsoft has since fixed the vulnerability, and a bug bounty of $30,000 has been awarded.
As described by Microsoft, Kudu powers several Azure App Service features, including source control-based deployment and Dropbox and OneDrive sync.
By issuing a specially crafted request to the “/API/zip deploy” endpoint to deliver a malicious archive (such as web shells) and gain remote access, an adversary could defeat the safeguards to prevent cross-origin attacks in a hypothetical attack chain devised by Ermetic.
An attack vector called cross-site request forgery, attack surface, or session riding occurs when a threat actor tricks an authenticated user into executing unauthorized access and commands.
The ZIP file is embedded in the HTTP request body through the server’s same-origin policy bypass, causing the victim application to navigate to an actor-controlled domain hosting the malware.
The company said that using the principle of least privilege effectively can significantly reduce the blast radius. The impact of the vulnerability on the organization as a whole depends on how permissions are managed.
It comes days after Orca Security reported four instances of server-side request forgery (SSRF) attacks affecting Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.