Microsoft Azure has some serious security flaws

Security researchers at Check Point have identified two major security flaws in Microsoft Azure that could be exploited by hackers to gain access to sensitive information stored on machines running Azure or to take over Azure servers.

The first security flaw was discovered in Azure Stack and if exploited, it would enable a hacker to gain access to screenshots and other sensitive information from machines running Azure.

Azure stack is a cloud computing software solution that was developed by Microsoft to allow enterprises to deliver Azure services from their own data centers. The software giant created Azure Stack as a means of helping organizations embrace hybrid cloud computing on their own terms while still being able to address business and technical considerations.

Researchers at Check Point were able to take screenshots and collect sensitive information of Azure tenants and infrastructure machines by exploiting the flaw. However, in order for a hacker to take advantage of the flaw, they would first need to gain access to the Azure Stack Portal which would enable them to send unauthenticated HTTP requests.

Azure App flaw

The Azure App flaw discovered by Check Point would have enabled a hacker to take control over an entire Azure server and consequentially an enterprise’s business code.

Azure App Service is a fully managed Platform as a Service (PaaS) that integrates Microsoft Azure websites and other services into a single service while also adding new capabilities that enable integration with on-premises or cloud systems.

Check Point’s researchers were able to prove that a hacker could compromise tenant applications, data and accounts by creating a free user in Azure Cloud and running malicious Azure functions.

The security company disclosed the flaws to Microsoft and together the two worked closely to fix the issues. Full patches for both security flaws were released at the end of last year to prevent them from being exploited by hackers.

Via Gizbot

Source

Posted in: