Barely days after Microsoft found and fixed a security flaw on Windows 10 that led to spoofing vulnerability, here comes news that the company have found a loophole on the Azure network that could hand over screenshots and other sensitive information to hackers about machines running the cloud computing network.
But, no need to panic as the company joined hands with Check Point, a global provider of software and hardware for IT security and network security to fix the issues. In a statement, Check Point said the first flaw found in the Azure Stack enabled hackers to gain data from machines while the second was found on the Azure App Service that could potentially allow hackers to gain total control of the Azure server.
The Azure Stack Flaw
Azure Stack is a cloud computing software solution developed by Microsoft that is designed to help enterprises deliver Azure services from their own data centre. Microsoft created the Azure Stack as a way to help organisations embrace hybrid cloud computing on their own terms by harnessing the power of the cloud, while still being able to address business and technical considerations like regulations, data sovereignty, customisation and latency.
Check Point researchers were able to take screenshots and lift sensitive information of Azure tenants and infrastructure machines. This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure.
In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines.
The Azure App Flaw
Azure App Service is a fully managed “Platform as a Service” (PaaS) that integrates Microsoft Azure Websites, Mobile Services, and other services into a single service, adding new capabilities that enable integration with on-premises or cloud systems.
Azure App Service gives users several capabilities such as provisioning and deploying web and mobile apps, build engaging iOS, Android, and Windows apps, automating business processes with a visual design experience, and integrating with “Software as a Service” (SaaS) applications like Salesforce, Marketo and DropBox.
Researchers at Check Point were able to prove that a hacker could compromise tenant applications, data, and accounts by creating a free user in Azure Cloud and running malicious Azure functions. The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code.
Check Point’s Research Process
Check Point researchers began by installing Azure Stack Development Kit (ASDK) on their own servers. After ASDK was installed, Check Point researchers mapped the places they thought they might find vulnerabilities around. Since Azure Stack has similar features to Azure’s public cloud, Check Point researchers focused on those vectors.
Ironically, these disclosures from Check Point came at the time when Microsoft CEO Satya Nadella was informing stakeholders during the quarterly earnings call about the importance of keeping the Azure Cloud secure. “We are the only company that offers integrated end-to-end identity, security and compliance solutions to protect people and organizations, spanning identity management, devices, cloud apps, data and infrastructure,” he had said.