Potential catastrophe averted due to an implementation bug in Microsoft cryptography

A researcher has gone public about recently discovered vulnerabilities in Azure Functions

Two vulnerabilities discovered in Microsoft Azure Functions have been disclosed, although severity of one of the flaws was mitigated by a separate implementation bug.

Last week, researcher Paul “Polarply” described the vulnerabilities, privately reported to Microsoft in late 2020, in a technical blog post last week.

Catch up on the latest cloud security news

The security flaws were found in Azure Functions, an on-demand cloud service designed for managing applications and message queues, responding to database changes, and building web-based APIs.

According to the researcher, the first vulnerability is a privilege escalation bug in Linux Azure Function instances found in the SCM_RUN_FROM_PACKAGE environment variable.

While the URL redirects to an Azure Function package, its SAS token had a ‘write’ permission, allowing attackers with code execution privilege over a Function to overwrite the package, tampering with user levels and potentially permitting an attacker to “plant a backdoor which would have run in every Function invocation”.

The second vulnerability was found through the extraction of a SAS token from a URL linked a storage blob belonging to Microsoft, connected to Azure Function, by querying azcontainers blob storage.

This allowed encrypted Function configurations that do not belong to the user to be viewed. However, as they are encrypted, the researcher says the downloading of these configurations, while possible, “had no practical impact”.

Consult the oracle

In addition, the researcher found a padding oracle available as an undocumented HTTP endpoint on Function instances. Initially, he believed this could have allowed remote code execution (RCE) to be achieved over arbitrary Azure Functions, as well as the decryption of configurations.

However, further examination revealed cryptographic dysfunction in the oracle caused by Microsoft’s cryptography codebase – rendering the oracle useless for an RCE attack.

“The attack still required matching the oracle (the Function URL) to its configuration which probably would have limited the impact of the attack should I have been successful,” the researcher noted.

RECOMMENDED Time to update DNS servers to defend against brace of serious BIND vulnerabilities

Speaking to The Daily Swig, Polarply emphasized that the padding bug had no real-world implications due to the issues in the cryptographic code. However, the function overwrite issue was still “pretty serious”.

“It meant any attacker who had code execution on the Function could overwrite its code and install a backdoor [and] the victims wouldn't even know it’s there,” he told us.

To resolve the flaws, the scope of the SAS tokens were changed so apps could not read encrypted configurations which do not belong to them. Token restrictions were also enabled.

However, as the oracle was inoperative, no changes were made.

A spokesperson for Microsoft said that a fix was issued in November 2020, and customers do not need to take any action to stay protected.

The tech giant did not provide a bug bounty for the vulnerability report.

RELATED H2C smuggling proves effective against Azure, Cloudflare Access, and more