Microsoft’s massive Patch Tuesday rollout this month included fixes for multiple high-severity vulnerabilities impacting the Azure Site Recovery service.
Azure Site Recovery represents a suite of tools for ensuring business continuity during outages, such as site recovery – which ensures that both applications and workloads continue to operate on a secondary location – and data backup services.
One vulnerability that Microsoft specifically highlights is a DLL hijacking bug in the Azure Site Recovery process server component, which could allow any user to escalate privileges to that of SYSTEM.
Tracked as CVE-2022–33675, the issue exists because of incorrect permissions for the service’s executable directory, which allowed any user to create new files.
According to Tenable, the company credited with the flaw discovery, the service launched from this directory runs automatically and with SYSTEM privileges and attempts to load several DLLs from this directory. “This allows for a DLL hijacking/planting attack via several libraries that are attempted to be loaded from this location when the service is launched,” the company said in an advisory.
All Azure Site Recovery on-premises installations are impacted, including VMWare-to-Azure scenarios.
“Customers must upgrade all process server installations, such as the in-built process server, scale out process server, and scale out process server on Azure (if any),” Microsoft recommends.
The updated Azure Site Recovery updates resolve 30 vulnerabilities in the configuration server component and two bugs in the process server component, all of which require for the attacker to have valid user credentials and to be logged in to a vulnerable appliance. Approximately half of these issues carry a high-severity rating.
“Microsoft is not aware of any exploitation of these vulnerabilities, which only impact replication capabilities, not customer workloads. There is also no risk of cross-tenant data exposure since this is an on-premises offering,” Redmond said..
Most of the addressed vulnerabilities are SQL Injection (SQLi) bugs, with elevation of privilege (EoP) being the second most encountered type of bugs. The patches also resolve remote code execution (RCE) flaws that require administrative privileges for Azure Site Recovery-protected virtual machines.
On Tuesday, Microsoft announced patches for 84 vulnerabilities in Windows, including an in-the-wild zero-day that allows an attacker to gain SYSTEM privileges on a vulnerable machine.