A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application.
“The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu,” Ermetic researcher Liv Matan said in a report shared with The Hacker News. “By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim’s Azure application.”
The Israeli cloud infrastructure security firm, which dubbed the shortcoming EmojiDeploy, said it could further enable the theft of sensitive data and lateral movement to other Azure services.
Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000.
The Windows maker describes Kudu as the “engine behind a number of features in Azure App Service related to source control based deployment, and other deployment methods like Dropbox and OneDrive sync.”
images from Hacker News