high

Azure Cloud Shell access token theft

Published Tue, Sep 20th, 2022

Platforms

Summary

An issue in Azure Cloud Shell could have allowed an attacker to take over an Azure App Service domain and leverage it to inject and execute commands in other tenants' terminals if they navigated to the domain while logged into their account. Using this method, an attacker could query the Azure IMDS on other tenants' behalf and thereby obtain their access tokens.

Affected Services

Cloud Shell

Remediation

None required.

Tracked CVEs

No tracked CVEs

References

https://blog.lightspin.io/azure-cloud-shell-command-injection-stealing-users-access-tokens

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Sat, Aug 20th, 2022

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

9.17

(PI:1.5/A1:22/A2:1.21/A7:0.9/A8:1.1)

Discovered by

Gafnit Amiga, Lightspin

More vulnerabilities...

high

AttachMe

Any unattached storage volume, or attached storage volumes allowing multi-attachment, could have been read from or written to as long as an attacker knew their Oracle Cloud Identifier (OCID), allow...

Elad Gabay, Wiz

Tue, Sep 20th, 2022

medium

Synapse Spark LPE

Azure Synapse Analytics is an analytics service for processing data using various runtimes, among them Apache Spark. Synapse provided users the capability to mount Azure File Shares to their Apache...

Tzah Pahima, Orca Security

Thu, Sep 1st, 2022

medium

SNS SigningCertUrl improper validation

Amazon SNS' signature validation in the official SDK relied on a weak regex for default AWS certificate locations, that would incorrectly match an S3 bucket named `sns`. This bucket happened to be...

Eugene Lim

Fri, Aug 19th, 2022

View all