Microsoft recently patched a Cross-Site Request Forgery (CSRF) vulnerability in its popular Kudu SCM, that allowed attackers to perform remote code execution (RCE) on Azure services. The vulnerability, found in the Kudu SCM, was discovered and reported by security researcher Michael Gillespie.
Kudu SCM is a web-based version control system that enables developers to store, manage, and even debug their code on the cloud. Specifically, Gillespie found that the CSRF vulnerability in the Kudu SCM had the potential to allow remote code execution on any Azure Service with a specific URL.
Gillespie discovered that the CSRF vulnerability was the result of a missing input validation in the “KUDU_UI_SETTINGS” POST parameter. This could allow an attacker to launch a stored XSS attack by sending malicious JavaScript in an HTTP request. If successful, the attacker could then execute arbitrary code on the target service.
Microsoft quickly responded after becoming aware of the flaw and patched the vulnerability on February 17, 2021.
The CSRF vulnerability in Kudu SCM reinforces the importance of input validation in web applications. Without the appropriate implementation of input validation, third parties can leverage such a flaw to execute arbitrary code on a target computer or service.
Developers should always ensure that their systems are up to date and receive regular security patches. They should also consider the use of additional security measures such as web application firewalls or intrusion prevention systems (IPS) to protect their services from potential malicious actors.
This Cyber News was published on www.securityweek.com. Publication date: Sun, 22 Jan 2023 10:48:00 +0000