medium

Azure App Services takeover via legacy API

Published Mon, Jun 12th, 2023
Platforms

Summary

Binary Security found two vulnerabilities in the legacy Azure Resource Manager (ARM) REST API. The first vulnerability allowed an attacker with Reader access to an Azure Function, acting from a Windows host, to get an admin token that could be exchanged for a master key granting access to all operations in Kudu (the Functions deployment service). This would allow them to tamper with the function by deploying malicious code to it. The other vulnerability allowed an attacker with Reader access to an Azure App Service to read all process environment variables, including Key Vault references. For Azure Functions, this would result in complete compromise of the app.

Affected Services

Azure Resource Manager (ARM), Azure Functions, Azure App Services

Remediation

None required.

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Fri, Apr 28th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Haakon Holm Gulbrandsrud, Christian August Holm Hansen, Binary Security