fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Fixes Dozens of Azure Site Recovery Privilege Escalation Bugs

Microsoft Fixes Dozens of Azure Site Recovery Privilege Escalation Bugs

Microsoft has fixed 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution.

The Azure Site Recovery service is a disaster recovery service that will automatically fail-over workloads to secondary locations when a problem is detected. 

As part of the July 2022 Patch Tuesday, Microsoft fixed 84 flaws, with Azure Site Recovery vulnerability accounting for more than a third of the bugs fixed today.

Of the thirty-two vulnerabilities fixed in Azure Site Recovery, two allow remote code execution, and a whopping thirty vulnerabilities allow for elevation of privileges.

Also Read: The necessity of a data protection plan for businesses in Singapore

In an advisory released today, Microsoft states that SQL injection vulnerabilities caused most of the privilege escalation bugs. 

However, Microsoft also highlighted a CVE-2022-33675 vulnerability caused by a DLL hijacking vulnerability discovered by Tenable.

A DLL hijacking flaw

The DLL hijacking flaw is tracked as CVE-2022-33675 and has a CVSS v3 severity rating of 7.8. It was discovered by researchers at Tenable, who disclosed it to Microsoft on April 8, 2022.

DLL hijacking attacks exploit vulnerabilities caused by insecure permission on folders that a Windows OS searches and loads DLLs required when an application is launched.

To perform the attack, a threat actor can create a custom, malicious DLL using the same name as a regular DLL loaded by the Azure Site Recovery application. This malicious DLL is then stored in a folder that Windows searches, causing it to be loaded and executed when the application starts.

According to Tenable, the “cxprocessserver” service of ASR runs with SYSTEM level privileges by default, and its executable lies in a directory that has been incorrectly set to allow ‘write’ permissions to any user.

Wrong permissions on ASR directory
Wrong permissions on ASR directory (Tenable)

This makes it possible for normal users to plant malicious DLLs (ktmw32.dll) in the directory. Now, when the ‘cxprocessserver’ process is started, it will load the malicious DLL and execute any of its commands with SYSTEM privileges.

Also Read: Tools for penetration testing to choose from

“DLL hijacking is quite an antiquated technique that we don’t often come across these days. When we do, the impact is often quite limited due to a lack of security boundaries being crossed,” explains Tenable’s James Sebree in a writeup about the bug.

“In this case, however, we were able to cross a clear security boundary and demonstrated the ability to escalate a user to SYSTEM level permissions, which shows the growing trend of even dated techniques finding a new home in the cloud space due to added complexities in these sorts of environments.”

Potential implications

By acquiring admin-level privileges on a target system, an attacker would be free to change the OS security settings, make changes to user accounts, access all files on the system without restrictions, and install additional software.

Considering how widely ASR is used in corporate environments that rely on uninterrupted cloud applications and services, it could serve as a crucial weak point in network intrusions.

Tenable highlights the scenario of ransomware attacks where the threat actors could leverage CVE-2022-33675 to wipe backups and make free data restoration impossible. However, this is just one of the many examples.

Microsoft has also published an advisory to provide an overview of all the issues fixed in ASR this month, mentioning SQL injection and remote code execution in the impact section.

For these attacks, administrative credentials on the VMs are required; hence, CVE-2022-33675 can’t be used as a funnel to widen the scope of impact, but it could help lay the ground for acquiring those credentials on the target.

To address all security issues, make sure to apply this month’s updates. Those who can’t apply the patches could mitigate the risk by manually changing the write permission setting on the impacted directory.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us