Microsoft has revealed two Azure vulnerabilities that allow remote code execution, the July 2022 Third Patch Cumulative Update fixed dozens of critical vulnerabilities found in the Azure disaster recovery service, Microsoft has revealed.
The company recently released a detailed analysis of the Patch Tuesday update in July 2022, addressing a total of 84 vulnerabilities, including in Azure Site Recovery, a disaster recovery tool that automatically switches workloads to another location in an emergency, and there have been 32 vulnerabilities patched.
Of those 32, two allowed for potential remote code execution, while the remaining 30 allowed threatening agents to enhance their privileges.
Run malicious DLL files
Microsoft explained that most privilege escalation errors are caused by SQL injection vulnerabilities, adding that there are also DLL intrusion vulnerabilities detected.
The second type, detected by Tenable vulnerability management specialists, was tracked as CVE-2022-33675 and came with a severity score of 7.8.
As reported by BleepingComputer, these types of vulnerabilities are due to insecure permissions on the folders that the Operating System searches for and downloads DLL files at the launch of the application.
In theory, an attacker could create a malicious DLL with the same name as the legitimate DLL that the Azure Site Recovery app runs and ask the app to run it.
Tenable explained in a blog post: “Stealing DLL is a fairly archaic technique that we don’t often encounter today. When we do, its impact is often quite limited due to the lack of crossed security boundaries,” Tenable explained in a blog post.
“However, in this case, we have been able to push clear security boundaries and demonstrate the ability to upgrade users to permissions at the SYSTEM level, which indicates a growing trend of techniques even increasingly looking for a new home in the cloud space due to the added complexity in these types of environments.”
When attackers get advanced privileges on an endpoint (open in the new tab), they can change important operating system settings, allowing them to extract sensitive files, deploy malware and ransomware, or spy on users.