Summary
Undocumented APIs used by the Azure Function Apps Portal could have allowed an attacker with existing
access to a Reader role on a Function App to escalate their privileges and gain write permissions
through arbitrary file reads on Function App containers. For Windows containers, this would only
grant an attacker the ability to extract ASP.NET encryption keys (the impact of which remains unclear),
but for Linux containers it would have allowed an attacker to read environmental variables containing
information that ultimately granted access to Function master keys. This in turn would have allowed
overwriting Function App code and gaining remote code execution within the container.
Affected Services
Azure Function Apps
Remediation
None required.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
Tue, Aug 2nd, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Karl Fosaaen, NetSPI
