Azure App Service on Azure Stack Hub privilege escalation
Published Tue, Feb 14th, 2023
Platforms
Summary
A privilege escalation vulnerability was discovered in Azure App Service on Azure Stack Hub (an on-prem private cloud offering). To exploit this vulnerability, an attacker must have access to the targeted worker role and the ability to deploy a malicious application within the worker. The attack itself is carried out locally on the worker role where a malicious application has been deployed. Exploiting this vulnerability could grant an attacker the ability to access and modify content of a targeted application or workload, allowing them to interact with other tenants' applications and content.
Affected Services
Azure App Service on Azure Stack Hub
Remediation
Users of Azure App Service on Azure Stack Hub must update their instances to version 2302 by installing the patch available from Microsoft.
Tracked CVEs
CVE-2023-21777
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
-
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Ruslan Sayfiev, Denis Faiustov, GMO Cyber Security
