Microsoft recently mitigated a set of cross-site scripting vulnerabilities affecting Azure Bastion and Azure Container Registry (ACR). Exploitation of these vulnerabilities could have potentially allowed for an unauthorized user to gain access to a target user’s session within the compromised Azure service, and subsequently lead to data tampering or resource modification. Microsoft is not aware of any exploitation of these vulnerabilities beyond the proof-of-concept provided by a researcher.
These vulnerabilities were initially identified through independent testing conducted by Orca Security and reported to the Microsoft Security Response Center (MSRC) on 13 April 2023 (Azure Bastion) and 03 May 2023 (ACR). A series of fixes were developed and deployed according to our Safe Deployment Practices and completed on 24 May 2023, after which the issue is considered mitigated for both services. No further action is required from customers to remain secure.
Cross-site scripting in Azure Bastion and Azure Container Registry Cross-site scripting in Azure Bastion and Azure Container Registry
Exploitation of these vulnerabilities required the target user to visit an attacker-controlled page. In Azure Bastion, the vulnerability stemmed from the Azure Network Watcher connection troubleshooter. The connection troubleshooter test, when run through Azure Bastion, renders network topology from Network Watcher to visualize the relationship between resources in a virtual network and is exported as an SVG file. In this case, the underlying checks needed to validate the SVG payloads were implemented incorrectly. This would allow an attacker to host an HTML file, which if rendered in a victim’s browser, would POST a malicious SVG payload that would execute within the context of the network watcher connection troubleshooting topology view for Azure Bastion.
In the case of Azure Container Registry, the vulnerability existed in an HTML code snippet in an unused web page as part of ACR’s Azure Portal extension. Orca’s testing identified the HTML file that allowed for code injection.
Microsoft released a series of fixes that addressed the root cause for both Azure Bastion and Azure Container Registry. For Azure Bastion, the underlying Network Watcher file that incorrectly performed its origin check was updated to remove the vulnerable line of code. For Azure Container Registry, the ACR engineering team removed the vulnerable file after determining the vulnerable HTML page was legacy code and not actually used as part of the current Azure Portal experience. The engineering team implemented additional checks in their build pipeline to detect and clean up other potentially unused HTML pages.
Defense-in-Depth: Proactive detection of XSS at Microsoft Defense-in-Depth: Proactive detection of XSS at Microsoft
Beyond the mitigation steps taken in this case, Microsoft continues to invest in strategies to prevent issues like cross-site scripting from occurring in the future. For example, as a result of these cases in Azure Bastion and ACR, security engineers updated our internal CodeQL rules to improve our XSS scanning across all of our products and services.
Additionally, whenever a new vulnerability is reported by internal or external researchers, Microsoft security teams conduct thorough variant hunting to identify the reported vulnerability in products or services beyond the service initially reported. This effort is further augmented by our constantly evolving CodeQL scanning to ensure we account for multiple attack vectors.
Long-term, Microsoft security teams are driving adoption of much more comprehensive content security policies across our large portfolio of products and services. Adoption of more rigorous content security policies will ensure that we minimize the surface area for potential cross-site scripting in the future.
Orca Security reported two cross-site scripting vulnerabilities to MSRC, one affecting Azure Bastion (reported on 13 April 2023) and another affecting Azure Container Registry (reported on 03 May 2023).
Both vulnerabilities were mitigated by 24 May 2023 and no additional action is required of Azure customers to remain secure.
Microsoft has no evidence of these vulnerabilities being exploited in a way that affects Azure customers. These vulnerabilities were demonstrated as proof-of-concept by Orca and reproduced by Microsoft security teams before being mitigated.
Microsoft continues to invest in proactive efforts to identify, mitigate, and prevent cross-site scripting across our services, including improvements to our scanning queries, proactive variant hunting, and enforcement of more rigorous content security policies.
We appreciate the opportunity to investigate the findings reported by Orca and thank them for their continued collaboration. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. Researchers who report security issues to the Microsoft Security Response Center (MSRC) are eligible to participate in Microsoft’s Bug Bounty Program.
Learn more about how Microsoft secures our cloud infrastructure and keeps customer data secure here. Get notified when a potential security event impacts your Azure resources by configuring Service Health alerts in the Azure Portal.
Additional Resources Additional Resources
- Orca Security blog