One of the reasons why some organizations prefer hybrid cloud services like Microsoft Azure Stack is the option to keep sensitive data on-premises, securely.
Download Restoro PC Repair Tool that comes with Patented Technologies (patent available here).
Click Start Scan to find Windows issues that could be causing PC problems.
Click Repair All to fix issues affecting your computer’s security and performance
Restoro has been downloaded by 0 readers this month.
But Check Point Research analysts exposed two critical security vulnerabilities in the on-prem platform some time back, and they have now released a report detailing how they did it.
Some service requests required no validation in Azure Stack
The researchers were able to demonstrate how a malicious actor could exploit a seemingly minor oversight in software design to cause serious trouble.
They were surprised to discover that some requests in Azure did not require authentication. That vulnerability made it possible for them to access specific internal Azure Stack resources.
The second security issue they identified is server-side request forgery (SSRF). This flaw enabled them to take advantage of the lack of request validation in Azure by deploying a specially crafted request via the platform’s user portal.
In our case, because DataService didn’t require authentication, this eventually allowed us to get screenshots and information about tenants and infrastructure machines.
How they pulled it off
The analysts started by setting up Azure Stack on their own computer to create a private cloud. They then identified “DataService” as one of the services on the platform that required no validation.
Upon further exploration of APIs, they discovered they could obtain a lot of information on Azure Stack machines, such as device ID and system specifications.
Ultimately, the researchers could invoke certain functions and take screenshots on specific machines. By executing an SSRF breach, they managed to access “DataService” and deliver a screenshot request without any server-side hindrance.
Azure Stack customers no longer have to worry over the spoofing threat because Microsoft provided a security update for it. Still, one can’t help but wonder if the Azure public cloud ever had the same problem, considering that it shares similar features with the on-prem alternative.
Check Point Research could not subject Microsoft’s public cloud infrastructure to a similar test due to the complications involved.
Azure has come a long way, nonetheless. Based on its financial performance for the second quarter, the product is vital to Microsoft’s overall revenue growth.
Hopefully, the public cloud solution does validate all service requests to minimize the risk of SSRF intrusion.
If the advices above haven’t solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on TrustPilot.com) to easily address them. After installation, simply click the Start Scan button and then press on Repair All.
Still having issues? Fix them with this tool:
SPONSORED
- microsoftMicrosoft Azure
Email *
Commenting as . Not you?
Comment
