Remote code execution (RCE) flaws allow attackers to submit commands to the vulnerable software and they will be executed with the privileges associated with the application—which typically have high permissions. A new, critical RCE vulnerability was recently discovered that impacts multiple Microsoft Azure-related services.
Liv Matan, an Ermetic researcher, explained that, "The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu…By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim's Azure application."
Matan’s team dubbed the flaw “EmojiDeploy,” and this vulnerability allows for possible attacks such as data theft and lateral movement to additional Azure services.
On December 6, 2022, Microsoft patched the vulnerability after Ermetic made the company aware of the issue, but many organizations are behind on their patching.
CSRF depends upon the tricking of authenticated users of a web application into executing unauthorized commands on their behalf. The proposed attack chain—or sequence of event in an attack—as described by the researchers includes exploitation of the CSRF flaw found in the Kudu SCM panel, bypassing protections against cross-origin attacks by issuing a crafted request to the "/api/zipdeploy" endpoint, thereby delivering a malicious archive and gaining remote access to the system.
The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity, so the best defensive measure against it is to employ least privilege for all accounts—both for system and for user types.
The Ermetic researchers published their findings just days after another research firm, Orca Security, disclosed four server-side request forgery (SSRF) exploits that could take advantage of flaws in Azure Machine Learning, Azure API Management, Azure Functions, and Azure Digital Twins.
Webcheck Security understands how difficult it can to be maintain a healthy security program in the modern age, especially with a scarcity of security specialists and with vulnerability announcements becoming more frequent. Contact us to discuss how our consulting security experts can help your organization reach a safer operating state.