\n

We created a C# Azure function which loads a native DLL and calls the load function.

\n

\n

The load function brute forces the handles until it finds an open one whose name starts with “iisipm”. Then it constructs the malicious message and sends it immediately. As a result, DWASSVC crashes.

\n

Although we only demonstrated a crash, this vulnerability could be exploited to a privilege escalation.

\n

Impact

\n

Microsoft has various App Service plans:

\n\n

For more information, see: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

\n

 

\n

Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure. However, exploiting it specifically on a Free/Shared plan could also allow us to compromise other tenant apps, data, and accounts! Thus breaking the security model of App Service.

\n

Conclusion

\n

The cloud is not a magical place. Although it is considered safe, it is ultimately an infrastructure that consists of code that can have vulnerabilities – just as we demonstrated in this article.

\n

This vulnerability was disclosed and fixed by Microsoft and assigned as CVE-2019-1372.
\nMicrosoft acknowledged that this vulnerability worked on Azure Cloud and Azure Stack

\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/","tags":[],"score":1.268001675605774,"topStoryDate":null},{"id":"149","type":"Blog_Publication","name":"Don't Become the Next Code Spaces: Learn best practices for using cloud services securely","author":"Check Point Research Team","date":1407771733000,"description":"Overview, Code Spaces, which offered source code repositories and project management services hosted in Amazon's Web Services for developers, was forced to cease operations in June after failing to meet the demands of cyber-extortionists. The company was first hit with a Distributed Denial of Service","content":"

Overview

\n

Code Spaces, which offered source code repositories and project management services hosted in Amazon’s Web Services for developers, was forced to cease operations in June after failing to meet the demands of cyber-extortionists. The company was first hit with a Distributed Denial of Service (DDoS) attack, followed by a devastating cyber breach that, in an instant, destroyed the intellectual property of the business.

\n

Code Spaces’ problems began with a DDoS attack on June 17th. However, the DDoS attack was a smokescreen for a broader attack aimed at accessing Code Spaces’ systems. The attacker took over Code Spaces’ panel access and the company explained in a blog post, “most of our data, backups, machine configurations and offsite backups were either partially or completely deleted”.

\n

Something similar happening to your enterprise may seem unlikely but in reality, many organizations today are freely using cloud-based infrastructure as a Service (IaaS) offerings. This gives employees easy access to resources, company data, and more. Yet, many enterprises don’t have a plan in place to deal with the risks of using IaaS offerings, which include DDoS attacks and the cyber breach that closed the doors of Code Spaces. In fact, a recent Forrester Research study found that only 57 percent of companies surveyed had a formal DDoS attack response plan.

\n

You can better protect your organization from such threats by following best practices for using IaaS offerings.

\n

Decide Who Can Access the Management Console

\n
\n

Providing multiple people unfettered access to the cloud IaaS control panel leaves you more vulnerable to someone taking control of the environment, just as Code Spaces experienced.

\n

Limit access to the IaaS management interface to as few people as possible to reduce the chance that unauthorized access will leak out. Also, do not use the root account on a regular basis. Create an administrative account for daily use, so that the highest access account can be used to suspend all others. Otherwise, if a hacker gets the root account and changes the password, you will have to contact the IaaS provider to regain control.

\n

Determine What Users Can Do on the Management Console

\n

Allow users to access only what’s required for their work. An efficient way to do this is to create user groups and assign the minimal amount of rights for group members to do a specific job. Then, when adding a user, give them rights to the management console via groups.

\n

For example, create a Database Read Access group. Users in that group would have rights to read the database but nothing else. You will have to work with your team to define the rights for each group, but if non-admin’s credentials are stolen, the whole IaaS is not in jeopardy.

\n

Use Multi-Factor Authentication

\n

It is strongly recommended to implement more robust authentication to prevent unauthorized access. Multi-factor authentication can still require the user to have a login name and password, along with an additional code given by a third-party authentication product. This code can be on a hardware token that changes every minute or a code sent to the user’s phone via SMS. Multi-factor authentication is more secure than passwords.

\n

Consider using SAML

\n

Security Assertion Markup Language (SAML) is an open standard that can be used with other identity mechanisms such as Windows Active Directory Federation Services. You can setup management console access to use Windows Active Directory as the authentication mechanism. This adds another layer of security by requiring users to connect to the management console only when they are on the local company network or on a secure VPN connection, which requires them to login to Active Directory.

\n

Enforce Local Endpoint & Network Protection

\n

By enforcing local endpoint and network protection, you will minimize the risk of having malware/Trojans on devices that can steal user credentials. Make sure the antivirus software is updated regularly and scans for viruses on a set schedule. Install a network firewall and Intrusion Prevent System (IPS) to further protect endpoints. Also, consider network antivirus and anti-bot software to prevent viruses and to find post-infected systems, as well as Threat Emulation to find new and unknown threats.

\n

Create a Plan and Perform Backup and Recovery Exercises

\n

At a minimum, your organization needs three response plans to minimize loss of data or disruption of services.

\n\n

To help you develop these plans, read the AWS Security Best Practices as well as The National Institute of Standards and Technology (NIST) white papers on “Computer Security Incident Handling Guide” and “Techniques for System and Data Recovery.”

\n

Of course, it’s not enough to simply have response plans. You need to make sure each plan works through regular testing–just as large office buildings often conduct fire drills.

\n

Protect Your IaaS Server As If It Were Your Own

\n

When implementing an environment in AWS or other IaaS offering, you should protect the servers as if they were in your own organization. Check Point offers a Security Gateway in the Amazon Marketplace that can enforce your organization’s security policy and protect your assets within the AWS environment.

\n

The same network protections that are available on-premise are available in the Amazon Marketplace. As a result, connecting your IaaS to your local network can be accomplished securely via VPNs. You are assured that the same protections on-premise are implemented in your IaaS environment.

\n

The ease and affordability of IaaS offerings is a great benefit to many businesses. But it’s up to your organization to find the right balance between meeting your users’ needs and, at the same time, securing your assets.

\n

(Download PDF)

\n
\n

The post Don’t Become the Next Code Spaces: Learn best practices for using cloud services securely appeared first on Check Point Blog.

\n","status":"PUBLISHED","fileName":"103173644","link":"http://blog.checkpoint.com/2014/08/11/dont-become-the-next-code-spaces-learn-best-practices-for-using-cloud-services-securely/","tags":[],"score":0.8628882765769958,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};