Azure’s XSS Vulnerabilities Expose User Sessions to Unauthorized Access

Cloud Security XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions

Introduction

In a recent report, cloud security firm Orca identified and Microsoft resolved two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) that could have led to unauthorized access to user sessions, data tampering, and service disruptions. The vulnerabilities, which were discovered in April and May 2023, were caused by a weakness in the postMessage iframe, which allowed attackers to embed endpoints within remote servers using the iframe tag and execute malicious JavaScript code.

Azure Bastion Vulnerability

Azure Bastion serves as a hardened gateway to provide access to virtual machines by creating a private remote desktop protocol (RDP) or secure shell (SSH) session between the local machine and the Azure VM. The vulnerability in Azure Bastion was found in the Azure Network Watcher connection troubleshooter. Due to incorrectly implemented validation checks, an attacker could craft an HTML page that, when rendered in the victim’s browser, would lead to code execution. Orca identified multiple security weaknesses that contributed to the vulnerability, allowing an attacker to automate the execution of a malicious SVG payload on behalf of the victim.

Azure Container Registry Vulnerability

The vulnerability in Azure Container Registry was discovered in an HTML code snippet in an unused web page as part of ACR’s Azure Portal extension. Orca’s testing identified the HTML file that allowed for code injection. Azure Container Registry is a managed cloud service that enables users to deploy, manage, and store container images from a centralized location. Orca found that the portal’s main page contained an iframe communicating with postMessages with an HTML file. The communication method was found to be susceptible to exploitation due to a missing origin check.

Microsoft’s Response

Orca reported the XSS vulnerabilities in Azure Bastion and Azure Container Registry to Microsoft, and the company was able to reproduce them. Microsoft addressed the issues by updating the Azure Network Watcher file in Azure Bastion to remove the vulnerable line of code. For Azure Container Registry, the ACR engineering team removed the vulnerable file after determining that the vulnerable HTML page was legacy code and not used as part of the current Azure Portal experience. Microsoft has stated that it has no evidence of these vulnerabilities being exploited in attacks other than the proof-of-concept (PoC) code provided by Orca.

Editorial and Analysis

The discovery of XSS vulnerabilities in Azure Bastion and Azure Container Registry raises concerns about the security of cloud services. XSS vulnerabilities can allow attackers to inject malicious code into web applications and potentially gain unauthorized access to user sessions and sensitive data. This incident highlights the importance of conducting regular security audits and vulnerability assessments to identify and address any potential weaknesses in cloud infrastructure.

It is commendable that Orca responsibly disclosed the vulnerabilities to Microsoft, allowing the company to take prompt action to resolve the issues. Microsoft’s quick response in addressing the vulnerabilities shows their commitment to maintaining the security of their Azure platform.

However, the fact that these vulnerabilities were present in Azure Bastion and Azure Container Registry exposes the challenges companies face in ensuring the security of their cloud services. Despite rigorous security measures, vulnerabilities can still be overlooked or introduced inadvertently. This incident should serve as a reminder for all cloud service providers and users to remain vigilant and proactive in identifying and addressing security vulnerabilities.

Internet Security and Best Practices

To mitigate the risk of XSS vulnerabilities and unauthorized access in cloud environments, organizations and users should adhere to best practices and implement robust security measures:

Regular Assessments and Audits:

Perform regular security assessments and vulnerability scans to identify and address any weaknesses in cloud infrastructure.

Secure Code Development:

Follow secure coding practices to prevent the introduction of vulnerabilities during the development process. This includes input validation, output encoding, and proper error handling.

Access Controls:

Implement strong access controls and permissions management to ensure that only authorized individuals have access to sensitive data and services.

Patch Management:

Stay up to date with security patches and updates provided by cloud service providers. Regularly apply these patches to ensure that known vulnerabilities are addressed promptly.

Security Training:

Educate employees and users on best practices for internet security, including avoiding suspicious emails and websites, using strong and unique passwords, and being cautious about sharing sensitive information.

Continuous Monitoring:

Implement robust monitoring and logging mechanisms to detect and respond to any suspicious activities or potential security breaches.

Conclusion

The discovery and resolution of XSS vulnerabilities in Azure Bastion and Azure Container Registry underline the ongoing challenges in securing cloud services. While cloud providers like Microsoft have extensive security measures in place, the dynamic nature of technology necessitates constant vigilance and proactive security measures. Users and organizations must prioritize regular security assessments, secure coding practices, access controls, and continuous monitoring to mitigate the risk of unauthorized access and data breaches in the cloud. By implementing these measures, users can maximize the security of their cloud infrastructure and protect valuable data and sessions from potential attacks.