Two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) could have led to unauthorized access to user sessions, data tampering, and service disruptions, cloud security firm Orca warns.
The issues, resolved in April and May 2023, existed because of a weakness in the postMessage iframe, allowing an attacker to “embed endpoints within remote servers using the iframe tag” and execute malicious JavaScript code.
In Azure Bastion, which acts as a hardened gateway to provide access to virtual machines by creating a private remote desktop protocol (RDP) or secure shell (SSH) session between the local machine and the Azure VM, the vulnerability existed in the Azure Network Watcher connection troubleshooter.
Due to incorrectly implemented validation checks, an attacker could craft an HTML page that, once rendered in the victim’s browser, would lead to code execution.
According to Orca, multiple security weaknesses contributed to the vulnerability, allowing an attacker to automate the execution of a malicious SVG payload on behalf of the victim.
In the case of Azure Container Registry, the vulnerability existed in an HTML code snippet in an unused web page as part of ACR’s Azure Portal extension. Orca’s testing identified the HTML file that allowed for code injection.
A managed cloud service, Azure Container Registry allows users to deploy, manage, and store container images from a centralized location.
Orca discovered that the portal’s main page contained an iframe communicating with postMessages with an HTML file. The communication method was then found to be susceptible to exploitation, because of a missing origin check.
Orca reported the XSS in Azure Bastion to Microsoft in April and the XSS in the Azure Container Registry in May. Microsoft resolved both issues after being able to reproduce them.
“For Azure Bastion, the underlying Network Watcher file that incorrectly performed its origin check was updated to remove the vulnerable line of code. For Azure Container Registry, the ACR engineering team removed the vulnerable file after determining the vulnerable HTML page was legacy code and not actually used as part of the current Azure Portal experience,” Microsoft explains.
The tech giant says that it has no evidence of any of these vulnerabilities being exploited in attacks, beyond the proof-of-concept (PoC) code that Orca provided to demonstrate them.
Related: Azure API Management Vulnerabilities Allowed Unauthorized Access
Related: Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse
Related: Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
