IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Check Point spots two flaws in Microsoft Azure

However, the vulnerabilities in Azure Stack and App Service were patched last year

Check Point security researchers spotted flaws in Microsoft Azure that could have let hackers take control over the cloud servers.

The work was part of a wider project looking at cloud infrastructure, dubbed "Attack the Cloud", in which Check Point wants to "break the assumption that cloud infrastructures are secure".

With Microsoft Azure, the researchers spotted two flaws. The first was in Azure Stack, and could have let criminals take screenshots or see other sensitive information by taking advantage of a vulnerability in the "DataService" function, which didn't require authentication.

"This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure," the researchers said.

"In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines."

The second flaw was in the Azure App Service, where businesses provision and deploy apps and business processes, and could have allowed hackers to take control of a server.

"The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code," the researchers said.

The researchers could get into applications, see data and take over accounts by creating a free user in Azure Cloud and running malicious functions.

"Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure," the researchers explain. "However, exploiting it specifically on a Free/Shared plan could also allow compromising other tenant apps, data, and account."

Check Point disclosed the findings to Microsoft in January and June last year, with patches for both issued at the end of 2019. The first flaw was awarded $5,000 from Microsoft's bug bounty programme; the second earned $40,000.

The researchers emphasised in a report on the second flaw that while the cloud is "considered safe", it can still have vulnerabilities: "The cloud is not a magical place."

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Cloud security market to hit $106 billion by 2029
cloud computing

Cloud security market to hit $106 billion by 2029

11 Apr 2022
Alkira offers Check Point CloudGuard Security to secure virtual cloud networks
Cloud

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks

29 Sep 2021
Iboss protects web sessions with remote browser isolation
Cloud

Iboss protects web sessions with remote browser isolation

16 Aug 2021
Most CISOs worry cloud software flaws aren’t being caught
cloud security

Most CISOs worry cloud software flaws aren’t being caught

7 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022