Summary
A privilege escalation vulnerability was discovered in Azure App Service on Azure Stack Hub
(an on-prem private cloud offering). To exploit this vulnerability, an attacker must have
access to the targeted worker role and the ability to deploy a malicious application within
the worker. The attack itself is carried out locally on the worker role where a malicious
application has been deployed. Exploiting this vulnerability could grant an attacker the
ability to access and modify content of a targeted application or workload, allowing them
to interact with other tenants' applications and content.
Affected Services
Azure App Service on Azure Stack Hub
Remediation
Users of Azure App Service on Azure Stack Hub must update their instances to version 2302
by installing the patch available from Microsoft.
Tracked CVEs
CVE-2023-21777
References
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21777https://learn.microsoft.com/en-us/azure-stack/operator/app-service-release-notes-2302
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
-
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ruslan Sayfiev, Denis Faiustov, GMO Cyber Security
