Cloud security firm Orca has highlighted the presence of two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR), posing risks of unauthorized access, data tampering, and service disruptions. These vulnerabilities, which were resolved in April and May 2023, exploited a weakness in the postMessage iframe, enabling attackers to embed endpoints within remote servers and execute malicious JavaScript code.
Furthermore, Azure Bastion, a secure gateway for accessing virtual machines, contained a vulnerability in the Azure Network Watcher connection troubleshooter, while ACR’s vulnerability resided in an HTML code snippet in an unused web page.
Additionally, incorrectly implemented validation checks in Azure Bastion allowed attackers to create an HTML page that, when viewed by victims, could execute arbitrary code. Orca identified multiple security weaknesses that facilitated the automation of a malicious SVG payload on behalf of victims. In the case of Azure Container Registry, a vulnerable HTML file in the Azure Portal extension provided an avenue for code injection.
At the same time, Orca promptly reported the XSS vulnerabilities to Microsoft, resulting in remediation actions. Microsoft addressed the Azure Bastion vulnerability by updating the Network Watcher file to eliminate the vulnerable code.
Finally, for Azure Container Registry, the ACR engineering team removed the vulnerable file, recognizing that the affected HTML page was legacy code and not currently utilized in the Azure Portal experience. Microsoft stated that it has no evidence of these vulnerabilities being exploited beyond the proof-of-concept code shared by Orca.
