An attack chain exploiting misconfigurations and weak security controls in a common Azure service is highlighting how lack of visibility impacts the security of cloud platforms.
The "EmojiDeploy" attack chain could allow a threat actor to run arbitrary code with the permission of the Web server, steal or delete sensitive data, and compromise a targeted application, Ermetic stated in its Jan. 19 advisory. An attacker could use a trio of security issues affecting the common Source Code Management (SCM) service — a cloud service used by many Azure applications without an explicit indication to the user, according to Ermetic.
The issues demonstrate that the security of cloud platforms are undermined by the lack of visibility into what those platforms do under the hood, says Igal Gofman, head of research for Ermetic.
"Azure and cloud service consumers — enterprises — must be familiar with each service and its internals, and not trust [that the] default settings provided by cloud providers are always secure," he says. "Even though cloud providers spend millions of dollars on securing their cloud infrastructure, misconfigurations and security bugs will happen."
The EmojiDeploy research joins other attack chains recently discovered by security researchers that could have resulted in data breaches on cloud platforms or otherwise compromised cloud services. In October 2022, for example, researchers found two vulnerabilities in Atlassian's Jira Align, an agile project management application, that could have allowed threat groups to attack the Atlassian service. In January 2022, Amazon fixed two security issues in its Amazon Web Services (AWS) platform that could have allowed a user to take control of another customer's cloud infrastructure.
An attacker only needs to take an average of three steps — often starting, in 78% of cases, with a vulnerability — to compromise sensitive data on cloud services, one analysis found.
"Cloud systems are highly complex," Ermetic stated. "Understanding the complexity of the system and environment you are working in is crucial to defending it."
Source Code Manager Exploit
The attack found by Ermetic made use of the insecurity of a specific cookie configuration for the Source Code Manager (SCM). The Azure service had set the Same-Site attribute in all cookies to "None" rather than the default value of "Lax," undermining controls that would normally prevent cross-site scripting (XSS) and cross-site request forgery (XSRF), according to Ermetic's advisory.
After further investigating the implications of those settings, Ermetic researchers found that those who use any of three common Azure services — Azure App Service, Azure Functions, and Azure Logic Apps — could be attacked through the vulnerability. The attack was made possible because these three major services all use the Source Code Management (SCM) panel to allow development and Web teams to manage their Azure application. Because SCM relies on the open source Kudu repository management project, which is a .NET framework similar to Git, a cross-site scripting vulnerability in the open source project also affects Azure SCM.
Unfortunately, the security setting is not obvious, Ermetic stated, adding that many Azure Web Services customers would not even know of the existence of the SCM panel.
A single vulnerability is not enough, however. The researchers paired the lax cookie security with a specially crafted URL that bypasses the cloud service's check that every component of the website came from the same origin. Combining the two components allows a full cross-origin attack, Ermetic stated in its advisory. A third weakness allowed specific actions or payloads to be incorporated into the attack as well.
Shared Responsibility Means Configuration Transparency
The attack chain underscores that cloud providers need to make their security controls more transparent and default to more secure configurations, says Ermetic's Gofman. While shared responsibility has long been the mantra of cloud security, cloud infrastructure services have not always offered easy access or integration to security controls.
"Awareness of default service settings and configurations is important since the cloud uses a shared responsibility model for security between the provider and the customer," he says. "Applying the principle of least privilege and being aware of the shared responsibility model is very important."
Emetic notified Microsoft of the attack chain in October, and the vendor issued a global fix for Azure by early December, according to the advisory.
"The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity," Ermetic stated in its advisory. "Effectively applying the principle of least privilege can significantly limit the blast radius."