critical

Azure App Service RCE

Published Thu, Jan 30th, 2020
Platforms

Summary

A Vulnerability in App Service could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system, thereby escaping the sandbox. This vulnerability allowed cross-account access when using the Free/Shared tier.

Affected Services

App Service

Remediation

Azure Cloud - None required, Azure Stack / Windows Azure Pack Web Sites V2 - Manual update

Tracked CVEs

CVE-2019-1372

References

Disclosure Date
Tue, Oct 8th, 2019
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Ronen Shustin, Check Point