Two new major security vulnerabilities were found in Microsoft Azure that could lead to disastrous consequences if left unpatched (CVE-2019-1234 and CVE-2019-1372):
There are two vulnerabilities here. The first is a modest software bug that can be pushed hard to crash a system and escalate that crash to secure user privileges. And the second in a lack of security on a relatively arbitrary shared service that can be manipulated to break out of a user’s own part of the cloud infrastructure and onto the common shared hardware. That great advantage of the cloud, using only what you need, just when you need it, means you are a tenant in a server version of an apartment block. Check Point’s exploit built a master key for all the other apartments in that block.
Balmas fills in the gaps in terms of what this means. “We can break the isolation of Azure’s functions—now I can see everybody else’s functions. Anyone using Azure will be impacted—that means millions of users.” In addition to storing vast volumes of data in those isolated chambers, the cloud also runs countless programs. As a user, or “tenant,” you drop your code onto your cloud resource and it does the rest, running the program to order. Breaking that isolation enabled Check Point to access other tenants’ code running on any shared Azure server on which it was a tenant.
It is vital for any Azure users to ensure they patch their virtual machines. Failure to do so could lead to fatal consequences, a severe data breach, data destruction, being locked out of the VM, and more. Do not waste any time and apply the patches ASAP.