XSS Vulnerabilities In Azure Led To Unauthorized Access In User Sessions

Two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) could have led to unauthorized access to user sessions, data tampering, and service disruptions, cloud security firm Orca warns.

The issues, resolved in April and May 2023, existed because of a weakness in the postMessage iframe, allowing an attacker to “embed endpoints within remote servers using the iframe tag” and execute malicious JavaScript code.

In Azure Bastion, which acts as a hardened gateway to provide access to virtual machines by creating a private remote desktop protocol (RDP) or secure shell (SSH) session between the local machine and the Azure VM, the vulnerability existed in the Azure Network Watcher connection troubleshooter.

Due to incorrectly implemented validation checks, an attacker could craft an HTML page that, once rendered in the victim’s browser, would lead to code execution.

According to Orca, multiple security weaknesses contributed to the vulnerability, allowing an attacker to automate the execution of a malicious SVG payload on behalf of the victim.

In the case of Azure Container Registry, the vulnerability existed in an HTML code snippet in an unused web page as part of ACR’s Azure Portal extension. Orca’s testing identified the HTML file that allowed for code injection.

A managed cloud service, Azure Container Registry allows users to deploy, manage, and store container images from a centralized location.

Advertisement. Scroll to continue reading.

Orca discovered that the portal’s main page contained an iframe communicating with postMessages with an HTML file. The communication method was then found to be susceptible to exploitation, because of a missing origin check.

Orca reported the XSS in Azure Bastion to Microsoft in April and the XSS in the Azure Container Registry in May. Microsoft resolved both issues after being able to reproduce them.

“For Azure Bastion, the underlying Network Watcher file that incorrectly performed its origin check was updated to remove the vulnerable line of code. For Azure Container Registry, the ACR engineering team removed the vulnerable file after determining the vulnerable HTML page was legacy code and not actually used as part of the current Azure Portal experience,” Microsoft explains.

The tech giant says that it has no evidence of any of these vulnerabilities being exploited in attacks, beyond the proof-of-concept (PoC) code that Orca provided to demonstrate them.

Related: Azure API Management Vulnerabilities Allowed Unauthorized Access

Related: Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse

Related: Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution