‘This is a cloud security nightmare,” Check Point’s Yaniv Balmas tells me. “It undermines the concept of cloud security. You can’t prevent it, you can’t protect yourself. The only one who can is the cloud provider.” In this case that’s Microsoft, provider of the hyper scale Azure. Check Point is on a roll—a string of disclosures for vulnerabilities detected and disclosed in recent months. We’ve had WhatsApp, TikTok and Zoom. Now it’s Microsoft’s turn. “We thought it would be good to find weak points in the integrated security in the cloud,” Balmas explains. “We chose Azure as our target.”
Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, “a perfect 10.0,” Balmas says, referring to the CVE score on Microsoft’s disclosure in October. “It’s huge—I can’t even start to describe how big it is.” The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.
There was no detail when Microsoft patched the flaw, just a short explainer. “An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code,” the company said at the time, “thereby escaping the Sandbox.” This week, Microsoft confirmed Check Point’s report, telling me that “we released updates to address these issues in 2019.” The spokesperson added that “customers who have applied the updates are protected,” as covered at CVE-2019-1372 and CVE-2019-1234.
There are two vulnerabilities here. The first is a modest software bug that can be pushed hard to crash a system and escalate that crash to secure user privileges. And the second in a lack of security on a relatively arbitrary shared service within a shared virtual machine that can be manipulated to break out of a user’s own part of the cloud infrastructure and onto the common shared hardware. That great advantage of the cloud, using only what you need, just when you need it, means you are a tenant in a server version of an apartment block. Check Point’s exploit built a master key for all the other apartments in that block.
Microsoft Azure operates different service plans that share or dedicate virtual machines, and even offer single-tenant machines for enhanced security. According to Check Point, the core vulnerability allowed them to “compromise Microsoft’s App Service infrastructure” on any plan with shared hardware, and to compromise other tenants apps and data where isolation is in place within virtual machines. Although production environments are not recommended on the lower tiers, Check Point told me that this security approach is often ignored.
Balmas fills in the gaps in terms of what this means. “We can break the isolation of Azure’s functions—now I can see everybody else’s functions. Anyone using Azure will be impacted—that means millions of users.” In addition to storing vast volumes of data in those isolated chambers, the cloud also runs countless programs. As a user, or “tenant,” you drop your code onto your cloud resource and it does the rest, running the program to order. Breaking that isolation enabled Check Point to access other tenants’ code running on any shared Azure virtual machine on which it was a tenant.
“The code runs in the cloud,” Balmas says, “and that drives transactions and accesses sensitive data. It’s relying on the cloud to provide the security. But now I can see those transactions, modify them, delete them.”
On one level this is opportunistic, you can’t determine who might be sharing the specific Azure machine on which you are allocated tenant space. “Yes,” Balmas says, “but I can do this 100 times. I can inspect all the code passing by, I can see the tenants, I can see their code.” As such, the vulnerability can be industrialised and even targeted. “I can automate the process, plant my trojan inside the cloud infrastructure to do the work for me.” That trojan can even be directed, to look for specific code linked to a specific institution.
Check Point did not attack the cloud itself, but used the offline Azure Stack, a near perfect replica of the cloud environment. With the vulnerabilities detected, they then confirmed with Microsoft that the same ones would apply to the cloud itself. Yes, said Microsoft, patching the holes and paying Check Point a bounty.
Forget the specifics of this RCE, this report is about the shared security over which users have no visibility or control. In this instance Microsoft acted swiftly. “They were amazing,” Balmas says. But he also stresses that “the take away here is that the big cloud concept of security free from vulnerabilities is wrong. That’s what we showed. It can happen there as well. It’s just software and software has bugs. The fact I can then control the infrastructure gives me unlimited power.”