Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

DLL Hijacking Flaw Fixed in Microsoft Azure Site Recovery

Microsoft’s massive Patch Tuesday rollout this month included fixes for multiple high-severity vulnerabilities impacting the Azure Site Recovery service.

Microsoft’s massive Patch Tuesday rollout this month included fixes for multiple high-severity vulnerabilities impacting the Azure Site Recovery service.

Azure Site Recovery represents a suite of tools for ensuring business continuity during outages, such as site recovery – which ensures that both applications and workloads continue to operate on a secondary location – and data backup services.

One vulnerability that Microsoft specifically highlights is a DLL hijacking bug in the Azure Site Recovery process server component, which could allow any user to escalate privileges to that of SYSTEM.

Tracked as CVE-2022–33675, the issue exists because of incorrect permissions for the service’s executable directory, which allowed any user to create new files.

According to Tenable, the company credited with the flaw discovery, the service launched from this directory runs automatically and with SYSTEM privileges and attempts to load several DLLs from this directory. “This allows for a DLL hijacking/planting attack via several libraries that are attempted to be loaded from this location when the service is launched,” the company said in an advisory.

[ READ: MS Patch Tuesday: 84 Windows Vulns, Including Exploited Zero-Day ]

All Azure Site Recovery on-premises installations are impacted, including VMWare-to-Azure scenarios. 

“Customers must upgrade all process server installations, such as the in-built process server, scale out process server, and scale out process server on Azure (if any),” Microsoft recommends.

Advertisement. Scroll to continue reading.

The updated Azure Site Recovery updates resolve 30 vulnerabilities in the configuration server component and two bugs in the process server component, all of which require for the attacker to have valid user credentials and to be logged in to a vulnerable appliance. Approximately half of these issues carry a high-severity rating.

“Microsoft is not aware of any exploitation of these vulnerabilities, which only impact replication capabilities, not customer workloads. There is also no risk of cross-tenant data exposure since this is an on-premises offering,” Redmond said..

Most of the addressed vulnerabilities are SQL Injection (SQLi) bugs, with elevation of privilege (EoP) being the second most encountered type of bugs. The patches also resolve remote code execution (RCE) flaws that require administrative privileges for Azure Site Recovery-protected virtual machines.

On Tuesday, Microsoft announced patches for 84 vulnerabilities in Windows, including an in-the-wild zero-day that allows an attacker to gain SYSTEM privileges on a vulnerable machine.

Related: SAP Patches High-Severity Flaws in Business One Product

Related: Microsoft Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.