Researchers at Check Point identified two, major security flaws in Microsoft Azure, one of the leading cloud computing providers in the world. Check Point researchers discovered that a user on the Azure network could have potentially taken control over the entire server, opening a path to business code theft and manipulation.
The first security flaw was found in Azure Stack. The second security flaw was found in Azure App Service. The Azure Stack Flaw would have enabled a hacker to gain screenshots and sensitive information of machines running on Azure. The Azure App Flaw would have enabled a hacker to take control over the entire Azure server, and consequently take control over an enterprises’ business code.
Azure Stack Flaw: Attacker Gains Screenshots and Sensitive Information of Machines on Azure
Azure Stack is a cloud computing software solution developed by Microsoft that is designed to help enterprises deliver Azure services from their own data center. Microsoft created the Azure Stack as a way to help organizations embrace hybrid cloud computing on their own terms by harnessing the power of the cloud, while still being able to address business and technical considerations like regulations, data sovereignty, customization and latency.
Check Point researchers were able to take screenshots and lift sensitive information of Azure tenants and infrastructure machines. This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure. In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines.
Azure App Flaw: Attacker Takes Control Over Server and Business Code
Azure App Service is a fully managed “Platform as a Service” (PaaS) that integrates Microsoft Azure Websites, Mobile Services, and other services into a single service, adding new capabilities that enable integration with on-premises or cloud systems. Azure App Service gives users several capabilities such as provisioning and deploying web and mobile apps, build engaging iOS, Android, and Windows apps, automating business processes with a visual design experience, and integrating with “Software as a Service” (SaaS) applications like Salesforce, Marketo and DropBox.
Researchers at Check Point were able to prove that a hacker could compromise tenant applications, data, and accounts by creating a free user in Azure Cloud and running malicious Azure functions. The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code.
Check Point researchers began by installing Azure Stack Development Kit (ASDK) on their own servers. After ASDK was installed, Check Point researchers mapped the places they thought they might find vulnerabilities around. Since Azure Stack has similar features to Azure’s public cloud, Check Point researchers focused on those vectors.
Check Point responsibly disclosed its finding to Microsoft. The first security flaw was disclosed by Check Point on January 19, 2019, in which Microsoft created CVE-2019-1234, accordingly. The second security flaw was disclosed by Check Point on June 27, 2019, in which Microsoft created CVE-2019-1372. Together, Check Point and Microsoft worked closely to fix the issues. Full patches for both security flaws in Azure were issued to the public by the end of 2019.