Check Point spots two flaws in Microsoft Azure

However, the vulnerabilities in Azure Stack and App Service were patched last year

Azure interface

Check Point security researchers spotted flaws in Microsoft Azure that could have let hackers take control over the cloud servers.

The work was part of a wider project looking at cloud infrastructure, dubbed "Attack the Cloud", in which Check Point wants to "break the assumption that cloud infrastructures are secure".

Advertisement - Article continues below

With Microsoft Azure, the researchers spotted two flaws. The first was in Azure Stack, and could have let criminals take screenshots or see other sensitive information by taking advantage of a vulnerability in the "DataService" function, which didn't require authentication.

"This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure," the researchers said.

"In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines."

The second flaw was in the Azure App Service, where businesses provision and deploy apps and business processes, and could have allowed hackers to take control of a server.

"The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code," the researchers said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The researchers could get into applications, see data and take over accounts by creating a free user in Azure Cloud and running malicious functions.

"Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure," the researchers explain. "However, exploiting it specifically on a Free/Shared plan could also allow compromising other tenant apps, data, and account."

Check Point disclosed the findings to Microsoft in January and June last year, with patches for both issued at the end of 2019. The first flaw was awarded $5,000 from Microsoft's bug bounty programme; the second earned $40,000.

The researchers emphasised in a report on the second flaw that while the cloud is "considered safe", it can still have vulnerabilities: "The cloud is not a magical place."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Infostretch is now an AWS advanced consulting partner
Amazon Web Services (AWS)

Infostretch is now an AWS advanced consulting partner

4 Aug 2020
Ingram Micro joins Red Hat Certified Cloud and Service Provider program
Cloud

Ingram Micro joins Red Hat Certified Cloud and Service Provider program

9 Jun 2020
Matt Gallatin joins Reltio as its chief financial officer
Cloud

Matt Gallatin joins Reltio as its chief financial officer

5 Jun 2020
Hackers are wreaking havoc on Google’s Cloud infrastructure
hacking

Hackers are wreaking havoc on Google’s Cloud infrastructure

1 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020