Check Point experts discovered two serious vulnerabilities in Microsoft Azure. One of the problems allowed an attacker to establish control over the entire Azure server in general.
The first flaw was found in the composition Azure stack. Vulnerability CVE-2019-1234 allowed the hacker to take screenshots and collect confidential information about the machines. The second vulnerability found in the application service Azure App Service. This security flaw allowed hackers to take complete control of the Azure server.
Azure Stack is a cloud computing solution developed by Microsoft that helps enterprises work with Azure services from their own data center. Microsoft created Azure Stack to help organizations leverage hybrid cloud computing on their own terms. Essentially, it is an interface through which you can access the clouds created using the Azure stack.
To exploit the bug in Azure Stack, an attacker needed to gain access to the Azure Stack portal, which allowed sending unauthenticated HTTP requests containing screenshots and information about tenants and infrastructure. So, the researchers found a way to get the name and identifier of the virtual machine, information about the equipment, for example, the shared memory of the target machines, and then use all this to make another unauthenticated HTTP request and get screen shots.
Interestingly, an attacker could exploit both problems by creating a free account on Azure Cloud, launch malicious functions on it and send unauthenticated HTTP requests to the user portal Azure Stack.
Azure App Service, in turn, is a platform that allows you to create and host web applications, mobile backends and APIs in various languages, without having to directly manage the infrastructure.
The second vulnerability allowed remote code execution. The problem was with the DWASSVC service, which is responsible for managing and running tenant applications and IIS processes, which, in essence, run the tenant application, interacting with each other to perform various tasks. Since Azure Stack could not cope with checking the buffer length before copying to it, an attacker could take advantage of this circumstance by sending a specially crafted DWASSVC message, which allowed malicious code to be executed on a server with NT AUTHORITY / SYSTEM privileges.
The first vulnerability was discovered by Check Point on January 19, 2019, after which Microsoft released the security update CVE-2019-1234. The second vulnerability was discovered on June 27, 2019, then Microsoft created a patch for CVE-2019-1372. Thus, patches for both vulnerabilities in Azure were released at the end of 2019.