Summary
A vulnerability in the Azure Linux VM extension mechanism allowed an unprivileged
user to leak any Azure VM extension’s private data. An attacker could have abused
this to gain credentials for the VM itself as well as credentials for extensions
associated with the VM. Paired with the design of the VMAccess extension (an official
Azure extension for managing VM credentials), this could have been used to achieve
privilege escalation, as an unprivileged attacker would have been able to elevate themselves
to a higher privileged user by leaking the VMAccess admin password. Additionally, if the VMAccess
password happened to be shared among other Azure VMs, the attacker would have been able to perform
lateral movement to other machines. The root cause of this vulnerability was that the
certificates endpoint used for decrypting extension credentials did not validate transport
certificates, so an attacker could simply issue their own valid transport certificate.
Moreover, although an iptables rule was in place to prevent unprivileged access to this
endpoint, an attacker could bypass it by directing their requests to the Azure IMDS instead,
which happened to be located on the same machine as the certificates endpoint.
Affected Services
Azure Container Instance, Azure Service Fabric, Azure Kubernetes Service, Azure Container Registry, Azure Spring Cloud
Remediation
For Azure Kubernetes Service, update to image version 2020.10.15 or later. For other services, no action is required.
Tracked CVEs
CVE-2021-27075
References
https://www.intezer.com/blog/cloud-security/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27075
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Tue, Mar 9th, 2021
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Paul Litvak (Intezer), Wouter ter Maat (Offensi)
