Critical Microsoft Azure vulnerability unveiled: no patch needed

Microsoft cloud computing platform Azure is vulnerable to authentication bypass attacks, researchers at Zero Day initiative by Trend Micro have revealed. The vulnerability has been given the highest possible CVSS score of 10 out of 10, meaning that it poses a critical risk. Microsoft fixed the vulnerability and customers are already protected.

Trend Micro’s Zero Day Initiative disclosed the new vulnerability: "Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability.”

“This vulnerability allows remote attackers to bypass authentication on Microsoft Azure. Authentication is not required to exploit this vulnerability. The specific flaw exists within the permissions granted to an SAS token. An attacker can leverage this vulnerability to launch a supply-chain attack and execute arbitrary code on customers' endpoints,” the description on reads.

According to the report, Nitesh Surana of Trend Micro Research discovered the vulnerability, which was disclosed to the vendor on October 3rd, 2023. Following the responsible disclosure process, the short advisory was publicly released on June 6th, 2024.

The report claims that “Microsoft has issued an update to correct this vulnerability.” reported that Germany’s emergency team, CERT Bund of the Federal Office for Information Security (BSI), states that there is still no solution (mitigation) for the security problem.

“A remote, anonymous attacker can exploit a vulnerability in Microsoft Azure to execute arbitrary code,” the German advisory reads.

This was addressed in November 2023, and customers are already protected,” said a Microsoft spokesperson.

According to the company, no CVE was issued for this vulnerability, as no customer action was needed.

Therefore, it remains unclear how system administrators can protect their instances from possible attacks and if the vulnerability has been exploited in the wild.

Microsoft Azure is a widely used cloud computing platform, and its SQL Managed Instance is a popular database service. Attackers exploiting this vulnerability could wreak havoc by accessing sensitive data, disrupting services, and launching further attacks on connected systems.

Updated on June 8th [08:05 a.m. GMT] with a statement from Microsoft.