Check Point spots two flaws in Microsoft Azure

However, the vulnerabilities in Azure Stack and App Service were patched last year

Azure interface

Check Point security researchers spotted flaws in Microsoft Azure that could have let hackers take control over the cloud servers.

The work was part of a wider project looking at cloud infrastructure, dubbed "Attack the Cloud", in which Check Point wants to "break the assumption that cloud infrastructures are secure".

With Microsoft Azure, the researchers spotted two flaws. The first was in Azure Stack, and could have let criminals take screenshots or see other sensitive information by taking advantage of a vulnerability in the "DataService" function, which didn't require authentication.

"This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure," the researchers said.

"In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines."

The second flaw was in the Azure App Service, where businesses provision and deploy apps and business processes, and could have allowed hackers to take control of a server.

"The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code," the researchers said.

The researchers could get into applications, see data and take over accounts by creating a free user in Azure Cloud and running malicious functions.

"Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure," the researchers explain. "However, exploiting it specifically on a Free/Shared plan could also allow compromising other tenant apps, data, and account."

Check Point disclosed the findings to Microsoft in January and June last year, with patches for both issued at the end of 2019. The first flaw was awarded $5,000 from Microsoft's bug bounty programme; the second earned $40,000.

The researchers emphasised in a report on the second flaw that while the cloud is "considered safe", it can still have vulnerabilities: "The cloud is not a magical place."

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

Microsoft unveils its new retail-focused cloud service
Cloud

Microsoft unveils its new retail-focused cloud service

14 Jan 2021
Private cloud investment boosting hybrid cloud push
hybrid cloud

Private cloud investment boosting hybrid cloud push

14 Jan 2021
Getting started with Azure Red Hat OpenShift
Whitepaper

Getting started with Azure Red Hat OpenShift

6 Jan 2021
Cloudflare launches web hosting service Cloudflare Pages
web development

Cloudflare launches web hosting service Cloudflare Pages

18 Dec 2020

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021