Security News > 2023 > January > New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks
A new critical remote code execution flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application.
"By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim's Azure application."
The Israeli cloud infrastructure security firm, which dubbed the shortcoming EmojiDeploy, said it could further enable the theft of sensitive data and lateral movement to other Azure services.
The Windows maker describes Kudu as the "Engine behind a number of features in Azure App Service related to source control based deployment, and other deployment methods like Dropbox and OneDrive sync."
In a hypothetical attack chain devised by Ermetic, an adversary could exploit the CSRF vulnerability in the Kudu SCM panel to defeat safeguards put in place to thwart cross-origin attacks by issuing a specially crafted request to the "/api/zipdeploy" endpoint to deliver a malicious archive and gain remote access.
The findings come days after Orca Security revealed four instances of server-side request forgery attacks impacting Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
News URL
https://thehackernews.com/2023/01/new-microsoft-azure-vulnerability.html
Related news
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Week in review: Veeam Backup & Replication RCE could soon be exploited, Microsoft fixes 4 0-days (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)
- Ransomware gangs now abuse Microsoft Azure tool for data theft (source)
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)