Check Point Software Technologies revealed today its researchers were able to exploit a flaw to take over servers in the Microsoft Azure Cloud. The flaw in the Azure App Service used to deploy applications could have allowed hackers to bypass the way Microsoft isolates virtual machines to take control of an entire server.
The second flaw in Azure Stack, the on-premises edition of Azure, discovered by Check Point allowed someone to take screenshots or see other sensitive information by taking advantage of a vulnerability in a DataService function without requiring authentication.
Yaniv Balmas, head of cybersecurity research for Check Point, said the flaw involved how Microsoft employed its .Net programming language to isolate virtual machines on its cloud. Check Point researchers were able to bypass the mechanism Microsoft uses to isolate virtual machines on its cloud, he said.
Microsoft has since fixed the flaw after being notified by Check Point of its existence. However, Balmas said, because .Net is an example of a large platform based on managed code that executes at runtime, it’s almost inevitable there would be flaws. Like any platform engineered by humans, there always will be some flaw to be discovered. Check Point researchers tend to focus their efforts on large code bases that are constructed by hand, he noted.
While public clouds are more secure than the average on-premises IT environment, Balmas said it’s important for organizations to remember they are not perfect. Anything built by human developers is likely to have security flaws that cybercriminals are actively researching. In fact, there’s no way to know whether cybercriminals already discovered the same flaw that Check Point discovered on the Azure cloud, he said.
What is for certain is that given the number of application workloads being concentrated in public clouds, cybercriminals are actively trying to breach these platforms. Unfortunately, both cybercriminals and nation-states have a lot more resources at their disposal to conduct research. Research teams that find critical flaws in platforms are “rewarded” with bounties that barely cover the cost of what it takes to fund a single researcher working on an issue for a couple of months. The two flaws discovered by Check Point resulted in awards totaling $45,000. In the absence of any real financial motivation, the number of researchers proactively looking for flaws in platforms is constrained. Of course, vendors such as Microsoft will hire their own cybersecurity researchers, but as evidenced by the flaw discovered by Check Point, there always will be a need for outside assistance.
In an ideal world, cybersecurity researchers would collaborate more to help make platforms more secure. However, fostering that level of cooperation would require a significant amount of funding just to set up the infrastructure.
In the meantime, cybersecurity professionals should remind developers there is no such thing as perfect security. Cloud service providers may like to tout the security benefits of their platforms, but at the end of the day, there is no silver bullet when it comes to securing any platform that humans constructed.