Microsoft patches Azure Stack and App Service security flaws

Flaws discovered by cyber security firm Check Point

Researchers at Check Point have identified two major security flaws in Azure that could have allowed hackers to access sensitive data on on-premises machines running Azure or take over Azure servers in the cloud.

The first flaw in Azure Stack, Microsoft’s hybrid cloud platform that allows companies to launch Azure services from their data centres, could have been exploited by hackers to access screenshots and other sensitive information about on-premises machines running Azure.

Once the flaw was identified, Check Point researchers were able to extract this information from Azure tenants and infrastructure machines. However, for a hacker to reproduce the company’s exploits, they would first require access to the Azure Stack Portal, in order to send authenticated HTTP requests.

The Azure App bug was just as nasty, but moved via an alternative route, infiltrating Azure servers in the cloud. The flaw would have enabled a hacker to take over an Azure server and steal an organisation’s entire business code.

Azure App Service is a fully managed “Platform as a Service” (PaaS) that enables organisations to build and host web apps, mobile back ends, and RESTful APIs in the programming language of their choice, without managing infrastructure.

Hackers could have exploited the App Service vulnerability to compromise tenant applications, data and accounts by creating a free user in Azure Cloud and executing malicious Azure functions.

Check Point reported both flaws to Microsoft and together they patched the flaws last year before they could be exploited by hackers.

“The cloud is not a magical place,” wrote the researchers. “Although it is considered safe, it is ultimately an infrastructure that consists of code that can have vulnerabilities.”

Microsoft hasn’t released much in the way of selling figures for Azure Stack since it launched in 2017. According to the Azure roadmap site, there were no feature additions to the product between November 2018 and September 2019. It is understood that Microsoft is substantially rearchitecting Azure Stack to make the platform more modular, in a project codenamed “Project Saturn.”