Microsoft Azure

As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important.

Now according to the latest research, two security flaws in Microsoft’s Azure App Services could have enabled an bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server.

“This enables an attacker to quietly take over the App Service’s git server, or implant malicious phishing pages accessible through Azure Portal to target system administrators,” cyber security firm Intezer said in a report published on 8th October 2020.

Discovered by Paul Litvak of Intezer Labs, the flaws were reported to Microsoft in June, after which the company subsequently addressed them.

What is Azure ?

The Azure cloud platform is more than 200 products and cloud services designed to help you bring new solutions to life – to solve today’s challenges and create the future. Build, run, and manage applications across multiple clouds, on -premises, and at the edge, with the tools and frameworks of your choice.

To start free and for more information click here

Azure App Service is a cloud computing-based platform that’s used as a hosting web service for building web apps and mobile back-ends.

When an App Service is created via Azure, a new Docker environment is created with two container nodes – a manager node and the application node – along with registering two domains that point to the app’s HTTP web server and the app service’s administration page, which in turn leverages Kudu for continuous deployment of the app from source control providers such as GitHub or Bitbucket.

Likewise, Azure deployment on Linux environments are managed by a service called KuduLite, which offers diagnostic information about the system and consists of a web interface to SSH into the application node called “webssh“.


The first vulnerability is a privilege escalation flaw that allows for a takeover of KuduLite via hard-coded credentials (“root:Docker!”) that makes it possible to SSH into the instance and log in as root, thereby allowing an attacker complete control over the SCM(a.k.a Software Configuration Management) web server.


Remote Code Execution Vulnerability (Burp-suite)

According to the researchers, this could enable an adversary to “listen to a user’s HTTP request to the SCM web page, add our own pages, and inject malicious JavaScript into the user’s web page.”

The second security vulnerability concerns the way the application node sends requests to the KuduLite API, potentially permitting a web app with an SSRF vulnerability to access the node’s file system and steal source code and other sensitive assets.

“An attacker who manages to forge a POST request may achieve remote code execution on the application node via the command API,” the researchers said.

What’s more, successful exploitation of the second vulnerability implies the attacker can chain the two issues to leverage the SSRF flaw and elevate their privilege to take over the KuduLite web server instance.

For its part, Microsoft has been steadily working to improve security in the cloud and the internet of things (IoT) space. After making available its security-focused IoT platform Azure Sphere earlier this year, it has also opened it up for researchers to break into the service with an aim to “identify high impact vulnerabilities before hackers.”

“The cloud enables developers to build and deploy their applications at great speed and flexibility however, often the infrastructure is susceptible to vulnerabilities out of their control,” Intezer said. “In the case of App Services, applications are co-hosted with an additional administration container, and additional components can bring additional threats.”

“As a general best practice, runtime cloud security is an important last line of defense and one of the first actions you can to reduce risk, since it can detect malicious code injections and other in-memory threats that take place after a vulnerability has been exploited by an attacker.”



If you found this article interesting?

Follow The Cyber Grabs on Youtube, Instagram(IG), Facebook, Twitter and Linkedin to read more exclusive content we post.

Follow me at IG, Twitter and Linkedin to let me know what type of content you want us to publish here…

Leave a comment

Your email address will not be published. Required fields are marked *