Microsoft: Azure vulnerability with previously unclear status is already closed

At the end of last week, details of a security vulnerability in Microsoft's Azure became public. It allowed attackers to carry out a supply chain attack in which they could bypass the Azure login and execute arbitrary code. After the patch status was previously unclear, Microsoft has now informed heise online that the gap has already been closed.

Read also

Kritische Azure-Lücke: Patch-Status derzeit unklar

The vulnerability was described by Trend Micro's Zeor Day Initiative (ZDI) last week. Although it has not received its own CVE entry, the severity is critical with a CVSS score of 10 (out of a maximum possible 10 points). Without prior authentication, attackers were able to misuse it and bypass the Azure login. The cause was an error in the authorizations that a so-called SAS token had received. The ZDI has not outlined any specific attack scenarios. However, attackers should be able to deploy malicious code to endpoints, i.e. carry out a supply chain attack.

Azure leak: initially unclear patch status

In October 2023, the ZDI analysts informed Microsoft about the vulnerability. They also stated that a patch already existed - but there was nothing in the Microsoft Security Update Guide, which is why the patch status was unclear. The BSI is also not yet aware of any "countermeasures" against the vulnerability (mitigation).

Microsoft has now responded to heise online regarding the status of the vulnerability. "This was addressed in November 2023 and customers are already protected," said a Microsoft spokesperson. "As no customer action was required, no CVE entry was created," the Redmond company continued.

However, it remains unclear whether there have already been attacks on this vulnerability. At least IT managers do not need to take any further action and can file this vulnerability in the "done" pile.

(dmk)