A bug in the Microsoft Azure portal’s javascript parsing let security researchers steal the access tokens of an external organization. The tech giant managed to fix the issue before there were any public reports.
Microsoft beat security researchers to the ball in a dangerous Azure vulnerability. A CyberArk blog post titled ‘I Know What Azure Did Last Summer’ discloses a bug in the tech giant’s cloud platform that was exploitable for up to two weeks.
According to researcher Omer Tsarfari, the September issue lay in the way the Azure portal was parsing JavaScript that’s used in the Azure Portal’s Extension Manifest. An attacker with a HTTP server with the “urehubs” hostname and a signed root CA certificate could grab the access tokens of anyone who logged into the Azure portal.
The researchers were able to exploit this bug in the wild to grab an Azure token from an external organization. As a precaution, CyberArk then bought 72 urehub domains with various suffixes. Tsarfari says the bug could have led to complete takeovers of Azure environments.
“While there is a lot of honey in the Cloud Computing solutions, there is also a sting to be aware of. Relying on “someone else’s computer” also means relying on someone else’s security measures. We’ve seen a lot of attacks that have focused on cloud configuration weaknesses – and seeing and understanding these vulnerabilities helps us fortify our cloud environments,” he cautioned. “But, what about the vulnerabilities we don’t know of? Are we ready for those?”
A Speedy Fix
Thankfully, Microsoft also took action. The organization says it managed to discover and fix the bug before the researchers could report it.
“This issue was identified internally and we deployed a fix to address it,” a spokesperson told ThreatPost.
Tsarfati tells a different story. According to ThreatPost, he wrote that Microsoft’s fix of the vulnerability, just a day after his frim created a working POC, was unintentional. The company added three lines of code, adding a URL to the JavaScript file’s HREF attribute that mitigated the issue. This was all done server-side, so admins have no need to worry if they haven’t been attacked already. However, Tsarfarti believes Microsoft’s indecision when it comes to URI schema could still come back to bite in the future.
“Regarding the URI formats in the ExtensionsManifest, I think that it might be worth sticking to one URI format, as not doing that could be a root cause for many other bugs that could pop up over time,” he said.
