Check Point spots two flaws in Microsoft Azure

Security researchers at Check Point have discovered two flaws in Microsoft Azure. These flaws have the potential to allow hackers to control cloud servers.

Part of a wider project that looks at cloud infrastructure, dubbed “Attack the Cloud”, Check Point aims to “break the assumption that cloud infrastructures are secure”.

The hidden flaws

When researchers looked at Microsoft Azure, they spotted two flaws. The first was in Azure Stack, which could potentially allow criminals to screenshot or discover sensitive information. This would be done by taking advantage of a vulnerability in the “DataService” function. This area required no form of authentication to gain access.

“This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure,” the researchers said. “In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines.”

The second flaw was found in the Azure App Service. In this area, businesses provision, deploy apps and business processes could have enabled server control to hackers.

“The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code,” the researchers said.

The researchers were able to access applications, see data and take over accounts by creating a free user in Azure Cloud and running malicious functions.

“Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure,” the researchers explain. “However, exploiting it specifically on a Free/Shared plan could also allow compromising other tenant apps, data, and account.”

These findings were disclosed to Microsoft in January and June last year. By the end of 2019, both flaws had been patched. The first flaw was awarded $5,000 from Microsoft’s bug bounty programme, and the second earned $40,000.

Join us for GovSec 2020

Whitehall Media’s award-winning 7th annual GovSec conference aims to enable the government to function effectively, safely and securely through improved IT and information security to protect the vital services provided by the central government, local councils and the NHS. The all-day conference explores how public sector organisations and professionals can make sense of securing their functions in a rapidly changing environment.

Share this post: