One of the reasons why some organizations prefer hybrid cloud services like Microsoft Azure Stack is the option to keep sensitive data on-premises, securely.
But Check Point Research analysts exposed two critical security vulnerabilities in the on-prem platform some time back, and they have now released a report detailing how they did it.
Some service requests required no validation in Azure Stack
The researchers were able to demonstrate how a malicious actor could exploit a seemingly minor oversight in software design to cause serious trouble.
They were surprised to discover that some requests in Azure did not require authentication. That vulnerability made it possible for them to access specific internal Azure Stack resources.
In our case, because DataService didn’t require authentication, this eventually allowed us to get screenshots and information about tenants and infrastructure machines.
The second security issue they identified is server-side request forgery (SSRF). This flaw enabled them to take advantage of the lack of request validation in Azure by deploying a specially crafted request via the platform’s user portal.
How they pulled it off
The analysts started by setting up Azure Stack on their own computer to create a private cloud. They then identified “DataService” as one of the services on the platform that required no validation.
Upon further exploration of APIs, they discovered they could obtain a lot of information on Azure Stack machines, such as device ID and system specifications.
Ultimately, the researchers could invoke certain functions and take screenshots on specific machines. By executing an SSRF breach, they managed to access “DataService” and deliver a screenshot request without any server-side hindrance.
Azure Stack customers no longer have to worry over the spoofing threat because Microsoft provided a security update for it. Still, one can’t help but wonder if the Azure public cloud ever had the same problem, considering that it shares similar features with the on-prem alternative.
Check Point Research could not subject Microsoft’s public cloud infrastructure to a similar test due to the complications involved.
Azure has come a long way, nonetheless. Based on its financial performance for the second quarter, the product is vital to Microsoft’s overall revenue growth.
Hopefully, the public cloud solution does validate all service requests to minimize the risk of SSRF intrusion.