Summary
Orca discovered vulnerabilities in Azure Bastion and Azure Container Registry
that could have enabled an attacker to achieve Cross-Site Scripting (XSS) by
using iframe postMessages. The vulnerabilities allowed embedding of endpoints
within remote attacker-controlled servers using the iframe tag, thereby granting
unauthorized access to the victim’s session in the affected service if they
were tricked into navigating to an attacker-controlled website. The root cause
was that certain web pages in the Bastion and Container Registry customer-facing
portals allowed embedding of iframes in remote servers, meaning they were not
using mitigations such as the X-Frame-Options header or the frame-ancestors
directive in a Content Security Policy (CSP), which would have prevented these issues.
Affected Services
Azure Bastion, Azure Container Registry
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://orca.security/resources/blog/examining-two-xss-vulnerabilities-in-azure-services/https://msrc.microsoft.com/blog/2023/06/microsoft-mitigates-set-of-cross-site-scripting-xss-vulnerabilities-in-azure-bastion-and-azure-container-registry/
Contributed by https://github.com/korniko98
Disclosure Date
Thu, Apr 13th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
8.63
(PI:1.5/A1:20/A2:1.1/A7:1.1/A8:0.9)
Discovered by
Lidor Ben Shitrit, Orca Security
