Intezer announced that the company discovered two vulnerabilities in Microsoft Azure. According to the announcement, vulnerabilities exist in Azure App Services and specifically impacts Linux servers. App Services’ administration page is provided by a Microsoft open-source project called Kudu. For Linux, it’s a lesser-known project called KuduLite.
Vulnerability 1: KuduLite Takeover/EoP
Vulnerability 2: Lack of Access Checks in KuduLite
The second vulnerability was found in the KuduLite API. Intezer discovered that the application node sends requests to the KuduLite API without requiring any access validation. This can allow an attacker who manages to forge a GET request accessing the application node’s file system. Thus, the attacker can steal source code and other assets. It also allows forging a POST request to achieve remote code execution on the application node.
Intezer team also stated that,
“Finally, these two vulnerabilities can be chained together, since once an attacker achieves code execution with the second vulnerability, provided they have an SSRF vulnerability, they can exploit the first one. We reached out to Microsoft with our findings as part of the responsive disclosure process and the vulnerabilities were quickly acknowledged and fixed.”