Microsoft Fixes Dozens of Azure Site Recovery Privilege Escalation Bugs

Microsoft has fixed 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution.

The Azure Site Recovery service is a disaster recovery service that will automatically fail-over workloads to secondary locations when a problem is detected. 

As part of the July 2022 Patch Tuesday, Microsoft fixed 84 flaws, with Azure Site Recovery vulnerability accounting for more than a third of the bugs fixed today.

Of the thirty-two vulnerabilities fixed in Azure Site Recovery, two allow remote code execution, and a whopping thirty vulnerabilities allow for elevation of privileges.

Also Read: The necessity of a data protection plan for businesses in Singapore

In an advisory released today, Microsoft states that SQL injection vulnerabilities caused most of the privilege escalation bugs. 

However, Microsoft also highlighted a CVE-2022-33675 vulnerability caused by a DLL hijacking vulnerability discovered by Tenable.

A DLL hijacking flaw

The DLL hijacking flaw is tracked as CVE-2022-33675 and has a CVSS v3 severity rating of 7.8. It was discovered by researchers at Tenable, who disclosed it to Microsoft on April 8, 2022.

DLL hijacking attacks exploit vulnerabilities caused by insecure permission on folders that a Windows OS searches and loads DLLs required when an application is launched.

To perform the attack, a threat actor can create a custom, malicious DLL using the same name as a regular DLL loaded by the Azure Site Recovery application. This malicious DLL is then stored in a folder that Windows searches, causing it to be loaded and executed when the application starts.

According to Tenable, the “cxprocessserver” service of ASR runs with SYSTEM level privileges by default, and its executable lies in a directory that has been incorrectly set to allow ‘write’ permissions to any user.

This makes it possible for normal users to plant malicious DLLs (ktmw32.dll) in the directory. Now, when the ‘cxprocessserver’ process is started, it will load the malicious DLL and execute any of its commands with SYSTEM privileges.

Also Read: Tools for penetration testing to choose from

“DLL hijacking is quite an antiquated technique that we don’t often come across these days. When we do, the impact is often quite limited due to a lack of security boundaries being crossed,” explains Tenable’s James Sebree in a writeup about the bug.

“In this case, however, we were able to cross a clear security boundary and demonstrated the ability to escalate a user to SYSTEM level permissions, which shows the growing trend of even dated techniques finding a new home in the cloud space due to added complexities in these sorts of environments.”

Potential implications

By acquiring admin-level privileges on a target system, an attacker would be free to change the OS security settings, make changes to user accounts, access all files on the system without restrictions, and install additional software.

Considering how widely ASR is used in corporate environments that rely on uninterrupted cloud applications and services, it could serve as a crucial weak point in network intrusions.

Tenable highlights the scenario of ransomware attacks where the threat actors could leverage CVE-2022-33675 to wipe backups and make free data restoration impossible. However, this is just one of the many examples.

Microsoft has also published an advisory to provide an overview of all the issues fixed in ASR this month, mentioning SQL injection and remote code execution in the impact section.

For these attacks, administrative credentials on the VMs are required; hence, CVE-2022-33675 can’t be used as a funnel to widen the scope of impact, but it could help lay the ground for acquiring those credentials on the target.

To address all security issues, make sure to apply this month’s updates. Those who can’t apply the patches could mitigate the risk by manually changing the write permission setting on the impacted directory.