high

Azure Cloud Shell access token theft

Published Tue, Sep 20th, 2022

Platforms

azure

Summary

An issue in Azure Cloud Shell could have allowed an attacker to take over an Azure App Service domain and leverage it to inject and execute commands in other tenants' terminals if they navigated to the domain while logged into their account. Using this method, an attacker could query the Azure IMDS on other tenants' behalf and thereby obtain their access tokens.

Affected Services

Cloud Shell

Remediation

None required.

Tracked CVEs

No tracked CVEs

References

https://blog.lightspin.io/azure-cloud-shell-command-injection-stealing-users-access-tokens

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Sat, Aug 20th, 2022

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

9.17

(PI:1.5/A1:22/A2:1.21/A7:0.9/A8:1.1)

Discovered by

Gafnit Amiga, Lightspin

More vulnerabilities...

high

AttachMe

oci

Any unattached storage volume, or attached storage volumes allowing multi-attachment, could have been read from or written to as long as an attacker knew their Oracle Cloud Identifier (OCID), allow...

Elad Gabay, Wiz
medium

Synapse Spark LPE

azure

Azure Synapse Analytics is an analytics service for processing data using various runtimes, among them Apache Spark. Synapse provided users the capability to mount Azure File Shares to their Apache...

Tzah Pahima, Orca Security
medium

SNS SigningCertUrl improper validation

aws

Amazon SNS' signature validation in the official SDK relied on a weak regex for default AWS certificate locations, that would incorrectly match an S3 bucket named `sns`. This bucket happened to be...

Eugene Lim
View all