The use of a set of methods to take advantage of vulnerabilities like misconfigurations and poor security protocols in a popular Azure service is bringing attention to the issue of cloud security visibility, showing how not having a clear view of the security risks can lead to greater vulnerabilities in cloud platforms.
Ermetic’s research team found an EmojiDeploy vulnerability in Azure cloud services and other cloud sovereigns that allows for remote code execution in:-
The EmojiDeploy vulnerability can be exploited using CSRF on the widely used SCM service Kudu. It has been found that attackers can take advantage of this vulnerability to deploy harmful zip files containing malicious payloads to the Azure applications of their victims.
Abilities of the EmojiDeploy Vulnerability
By utilizing EmojiDeploy, threat actors would be able to remotely execute code as well as take control of an application remotely:-
An exploit of this vulnerability allows remote code execution and full control of the target application. Based on the permissions of the applications that manage identities, the impact of the vulnerability will vary according to the organization as a whole.
In order to reduce the blast radius, it is crucial to apply the principle of least privilege.
Timeline
Here below we have mentioned the complete disclosure timeline:-
To exploit the vulnerability, attackers must take advantage of the following things:-
Ultimately this whole procedure will lead the attacker to remote code execution. EmojiDeploy attack can be launched through a browser but the attacker needs to have SCM or Microsoft account cookies in their browser to exploit the vulnerability.
As Ermetic found, an attack was exploiting an insecure cookie configuration for Source Code Manager (SCM) in order to make use of the vulnerability. There are two controls that are set as a default by the Azure service of being Lax:-
MSRC has successfully resolved the EmojiDeploy issue but it is recommended to take preventive measures to protect against vulnerabilities like this in the future and exploitation of SCM capabilities.
The Microsoft Security Response Center (MSRC) took quick action to resolve the vulnerability while conducting a thorough investigation. The team at MSRC worked diligently to fix the issue as soon as they could.
They understood the importance of a timely resolution to ensure the security of their users and the integrity of the system. The MSRC team carried out a deep investigation to identify the root cause and come up with a solution that not only addresses the vulnerability but also prevents it from happening again in the future.
Microsoft acknowledged EmojiDeploy as a Remote Code Execution (RCE) vulnerability and acknowledged the discovery with a substantial reward.
Microsoft has a program that rewards security researchers who responsibly disclose vulnerabilities, and EmojiDeploy was considered a severe vulnerability that needed to be addressed as soon as possible.
The company awarded a bounty of $30,000 to the Ermetic research team who reported this vulnerability. This award is a testament to the importance of the finding and the value of the researcher’s contribution to making the platform more secure for everyone.
This kind of program encourages researchers to identify and report vulnerabilities, which in turn helps to make Microsoft’s products and services more secure for customers.
Network Security Checklist – Download Free E-Book
Andrew Witty, CEO of UnitedHealth Group, detailed a sophisticated ransomware attack on Change Healthcare, a…
Security researchers have uncovered a previously undetected malware threat for macOS that exhibits characteristics of…
Truffle Security Co. has recently discovered a major vulnerability in Postman, the widely used API…
It has been found that almost one-fifth of the repositories on Docker Hub, a popular…
Vulnerability exploits are the third most common way that cybercriminals gain access to target organizations,…
Threat actors have claimed to have discovered a 0-day vulnerability in Zyxel VPN devices. This…