Microsoft resolves ‘dangerous’ new Azure vulnerabilities

Microsoft recently fixed two vulnerabilities affecting two Azure-related tools that would have allowed hackers to access a victim’s data and make changes to their virtual environment.

Researchers with Orca Security said they discovered two “dangerous” vulnerabilities with Azure Bastion and Azure Container Registry that could allow attackers to achieve cross-site scripting (XSS) – a process involving hackers injecting malicious scripts into trusted websites. These kinds of vulnerabilities can lead to unauthorized access, data theft, and even the complete compromise of the affected system.

Orca Security’s Lidor Ben Shitrit said the vulnerabilities they discovered “acted as the entry point for attackers to exploit XSS flaws” and could “lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes.”

Azure Bastion allows users to access virtual machines within an Azure cloud environment, while Azure Container Registry provides users with a centralized location to store container images – foundational files containing code that runs on IT infrastructure.

Microsoft told Recorded Future News that it is not aware of any exploitation of the vulnerabilities beyond the proof-of-concept provided by Orca researchers.

Both Microsoft and Orca Security said the Azure Bastion issue was reported to the Microsoft Security Response Center on April 1 and the Azure Container Registry problem was reported on May 3.

Microsoft confirmed in a statement that exploitation of the vulnerabilities could have potentially allowed hackers to gain access to a target’s session within the compromised Azure service, leading to “data tampering or resource modification.” “A series of fixes were developed and deployed according to our Safe Deployment Practices and completed on 24 May 2023, after which the issue is considered mitigated for both services. No further action is required from customers to remain secure.”

A Microsoft spokesperson said exploitation of these vulnerabilities required the target user to visit an attacker-controlled page and in Azure Bastion, the vulnerability stemmed from the Azure Network Watcher connection troubleshooter.

The tech giant noted that as a way to prevent issues like XSS from occurring in the future, their security engineers updated their internal rules to improve scanning for this class of bug across all of Microsoft’s products and services.

“Additionally, whenever a new vulnerability is reported by internal or external researchers, Microsoft security teams conduct thorough variant hunting to identify the reported vulnerability in products or services beyond the service initially reported,” the spokesperson said.

“Long-term, Microsoft security teams are driving adoption of much more comprehensive content security policies across our large portfolio of products and services. Adoption of more rigorous content security policies will ensure that we minimize the surface area for potential cross-site scripting in the future.”