Advisory Details

June 6th, 2024

Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability

ZDI-24-581
ZDI-CAN-22281

CVE ID
CVSS SCORE 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS Azure
VULNERABILITY DETAILS

This vulnerability allows remote attackers to bypass authentication on Microsoft Azure. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the permissions granted to an SAS token. An attacker can leverage this vulnerability to launch a supply-chain attack and execute arbitrary code on customers' endpoints.

ADDITIONAL DETAILS Microsoft has issued an update to correct this vulnerability. More details can be found at:
https://msrc.microsoft.com/update-guide/en-us/acknowledgement/online
DISCLOSURE TIMELINE
  • 2023-10-03 - Vulnerability reported to vendor
  • 2024-06-06 - Coordinated public release of advisory
  • 2024-06-07 - Advisory Updated
CREDIT Nitesh Surana (@_niteshsurana) of Trend Micro Research
BACK TO ADVISORIES