Critical Azure vulnerability: Patch status currently unclear
Microsoft's cloud platform Azure is vulnerable to attack. According to security researchers, attackers can execute malicious code on customers' endpoints.
(Image: Sashkin/Shutterstock.com)
A "critical" vulnerability in Microsoft Azure is currently causing a stir. As security researchers describe the vulnerability, attackers can use it to launch a supply chain attack. It is currently unclear whether there is already a security update.
Dangerous security vulnerability
Security researchers from Trend Micro's Zero Day Initiative describe the vulnerability with the highest score (CVSS score 10 out of 10) in a short article. However, there is obviously no CVE number yet.
They state that attackers should be able to exploit the vulnerability remotely without authentication. If an attack succeeds, the Azure login can be bypassed. The error is located within the authorizations granted to a SAS token. The researchers are not currently explaining what specific attacks could look like.
Videos by heise
In this position in Microsoft's Azure cloud computing platform, attackers should be able to execute malicious code on customers' endpoint systems as part of a supply chain attack.
Countermeasures?
The security researchers announced that they had communicated the vulnerability to Microsoft in October 2023. Details of the vulnerability have now been published. They state that a security patch is already available. For more information, they link to Microsoft's Security Update Guide. However, there is no mention of an update there.
The emergency team CERT Bund of the Federal Office for Information Security (BSI) in turn states that there is still no solution (mitigation) for the security problem. The answer to an inquiry from heise Security to Microsoft is still pending.
As a result, it remains unclear for the time being how admins can protect their systems from possible attacks. It is also currently unclear whether there are already attacks.
(des)
