Researchers describe critical vulnerability Microsoft’s Azure App Service

Researchers at security firm Check Point describe a critical vulnerability in the infrastructure of Microsoft’s Azure App Service, which allowed remote code execution. Under certain circumstances, third-party apps and accounts could be accessed.

According to Check Point, the purpose of the study was to demonstrate that the assumption that cloud services infrastructure is secure is false. The company focused on Microsoft’s Azure App Service, a service that allows developers to build and host web apps. The researchers found a way to remotely crash accounts, but they said increasing remote permissions was also possible. This allows attackers to execute code for further abuse.

Because Microsoft offers shared App Service subscriptions, it was also possible under certain circumstances to jump to accounts, apps and data of other customers to run code there. Those apps from Free and Shared subscriptions run on the same Azure virtual machine and use the same hardware. A second vulnerability involved being able to take screenshots of rented Azure machines, in order to obtain information about the systems and customers.

Check Point used the Azure Stack Development Kit, which runs locally, but according to the company, the vulnerabilities also affect the online infrastructure. The vulnerabilities have been labeled CVE-2019-1372 and CVE-2019-1234 and have already been patched by Microsoft last October and November. Microsoft describes the vulnerability as a vulnerability that allows remote code execution if Azure Stack does not check the length of a buffer before copying memory to it.