A critical vulnerability in Microsoft’s cloud computing platform, Azure, has been revealed, posing significant risks due to its potential for authentication bypass attacks. Researchers from Trend Micro’s Zero Day Initiative have rated the vulnerability with the highest possible CVSS score of 10 out of 10.
The vulnerability, identified as “Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability,” allows remote attackers to bypass authentication on Microsoft Azure without requiring any prior authentication. This flaw is due to incorrect permissions granted to an SAS token, enabling attackers to launch supply-chain attacks and execute arbitrary code on customers’ endpoints.
According to the Zero Day Initiative, Nitesh Surana from Trend Micro Research discovered the vulnerability and disclosed it to Microsoft on October 3rd, 2023. Following the responsible disclosure process, the advisory was publicly released on June 6th, 2024.
Despite claims in the report that Microsoft has issued an update to address the vulnerability, there is no information available on Microsoft’s website, and the vulnerability has not been assigned a CVE number. Additionally, Heise.de reported that Germany’s emergency team, CERT Bund of the Federal Office for Information Security (BSI), states that there is still no mitigation for the security issue.
This ambiguity leaves system administrators uncertain about how to protect their instances from potential attacks and raises concerns about whether the vulnerability has been exploited in the wild. The German advisory highlights the risk, stating, “A remote, anonymous attacker can exploit a vulnerability in Microsoft Azure to execute arbitrary code.”
Given the widespread use of Microsoft Azure and its SQL Managed Instance service, exploiting this vulnerability could allow attackers to access sensitive data, disrupt services, and launch further attacks on connected systems.
As of now, the vulnerability has not been included in the National Vulnerability Database.