The use of a set of methods to take advantage of vulnerabilities like misconfigurations and poor security protocols in a popular Azure service is bringing attention to the issue of cloud security visibility, showing how not having a clear view of the security risks can lead to greater vulnerabilities in cloud platforms.
Ermetic’s research team found an EmojiDeploy vulnerability in Azure cloud services and other cloud sovereigns that allows for remote code execution in:-
- Function Apps
- App Service
- Logic Apps
The EmojiDeploy vulnerability can be exploited using CSRF on the widely used SCM service Kudu. It has been found that attackers can take advantage of this vulnerability to deploy harmful zip files containing malicious payloads to the Azure applications of their victims.
Abilities of the EmojiDeploy Vulnerability
By utilizing EmojiDeploy, threat actors would be able to remotely execute code as well as take control of an application remotely:-
- Running code and commands as the www user
- Theft or deletion of sensitive data
- Phishing campaigns
- Takeover of the app’s managed identity and lateral movement to other Azure services
An exploit of this vulnerability allows remote code execution and full control of the target application. Based on the permissions of the applications that manage identities, the impact of the vulnerability will vary according to the organization as a whole.
In order to reduce the blast radius, it is crucial to apply the principle of least privilege.
Timeline
Here below we have mentioned the complete disclosure timeline:-
- October 26, 2022 – The Ermetic research team reports the vulnerability to MSRC
- November 2, 2022 – MSRC first response, under review
- November 3, 2022 – Microsoft bounty program awards a $30,000 bounty
- December 6, 2022 – Microsoft releases a global fix
- January 19, 2023 – Ermetic’s public disclosure
Exploitation of EmojiDeploy Vulnerability
To exploit the vulnerability, attackers must take advantage of the following things:-
- Same-site misconfiguration
- Bypass an origin check
- Then target a vulnerable endpoint
Ultimately this whole procedure will lead the attacker to remote code execution. EmojiDeploy attack can be launched through a browser but the attacker needs to have SCM or Microsoft account cookies in their browser to exploit the vulnerability.
As Ermetic found, an attack was exploiting an insecure cookie configuration for Source Code Manager (SCM) in order to make use of the vulnerability. There are two controls that are set as a default by the Azure service of being Lax:-
Recommendation
MSRC has successfully resolved the EmojiDeploy issue but it is recommended to take preventive measures to protect against vulnerabilities like this in the future and exploitation of SCM capabilities.
The Microsoft Security Response Center (MSRC) took quick action to resolve the vulnerability while conducting a thorough investigation. The team at MSRC worked diligently to fix the issue as soon as they could.
They understood the importance of a timely resolution to ensure the security of their users and the integrity of the system. The MSRC team carried out a deep investigation to identify the root cause and come up with a solution that not only addresses the vulnerability but also prevents it from happening again in the future.
Microsoft acknowledged EmojiDeploy as a Remote Code Execution (RCE) vulnerability and acknowledged the discovery with a substantial reward.
Microsoft has a program that rewards security researchers who responsibly disclose vulnerabilities, and EmojiDeploy was considered a severe vulnerability that needed to be addressed as soon as possible.
The company awarded a bounty of $30,000 to the Ermetic research team who reported this vulnerability. This award is a testament to the importance of the finding and the value of the researcher’s contribution to making the platform more secure for everyone.
This kind of program encourages researchers to identify and report vulnerabilities, which in turn helps to make Microsoft’s products and services more secure for customers.
Network Security Checklist – Download Free E-Book