Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry
14.6.23 Vulnerebility The Hacker News
Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks.
"The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.
XSS attacks take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site.
The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects.
This meant that the shortcoming could be abused to embed endpoints within remote servers using the iframe tag and ultimately execute malicious JavaScript code, leading to the compromise of sensitive data.
However, in order to exploit these weaknesses, a threat actor would have to conduct reconnaissance on different Azure services to single out vulnerable endpoints embedded within the Azure portal that may have missing X-Frame-Options headers or weak Content Security Policies (CSPs).
"Once the attacker successfully embeds the iframe in a remote server, they proceed to exploit the misconfigured endpoint," Ben Shitrit explained. "They focus on the postMessage handler, which handles remote events such as postMessages."
By analyzing the legitimate postMessages sent to the iframe from portal.azure[.]com, the adversary could subsequently craft appropriate payloads by embedding the vulnerable iframe in an actor-controlled server (e.g., ngrok) and creating a postMessage handler that delivers the malicious payload.
Thus when a victim is lured into visiting the compromised endpoint, the "malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker's code within the victim's context."
In a proof-of-concept (PoC) demonstrated by Orca, a specially crafted postMessage was found to be able to manipulate the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload.
Following responsible disclosure of the flaws on April 13 and May 3, 2023, Microsoft rolled out security fixes to remediate them. No further action is required on the part of Azure users.
The disclosure comes more than a month after Microsoft plugged three vulnerabilities in the Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services.