[Nulled] » Information security » Microsoft, as usual, quietly fixed an important security vulnerability in the
January 16 2023

Microsoft, as usual, quietly fixed an important security

web3 16-01-2023, 11:38 Information security 203

Microsoft, as usual, quietly fixed an important security vulnerability in the Azure service (ACS) after researchers from Mnemonic discovered that the problematic function allows attacks to bypass the network between tenants.

As the researchers found out, the vulnerability allows circumventing the identification perimeter of Azure Cognitive Search instances isolated from the Internet and provides inter-client access to the ACS instance data plane from anywhere, including instances without explicit access to the network.

The error affected all instances of the Azure service with the "allow access from the portal" function activated.

By enabling this feature, clients actually allowed inter-client access to the data plane of their ACS instances from anywhere, regardless of the actual network configurations of the latter.

Moreover, this includes instances that are open exclusively on private endpoints, as well as instances without explicit access to the network, even without any private, service or public endpoint.

With a simple push of a button, customers could enable a vulnerable feature that effectively reset the entire network perimeter configured around their ACS instances without providing any real identification perimeter, allowing anyone to create a valid access token for ARM.

Microsoft paid a reward of $10,000 and raised the severity level of the bug from moderate to serious due to the ease of operation and the risk of exploitation for many users.

At some point in the disclosure process, Microsof stated that the fix was delayed because the fix required a significant design level change.

However, according to researcher Emilien Sokka, the vulnerability, dubbed ACSESSED, was still fixed by Microsoft without an official announcement at the end of August 2022, about six months after it was first reported.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: web3
  • Date of publication: 16 January 2023 11:38
  • Publication category(s): Information security
  • Number of views of the publication: 203
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
Red Balloon Security

Red Balloon Security researchers have discovered a potentially serious unpatched vulnerability affecting many

Read more
16 January 2023
Information security
Automakers in pursuit of

Automakers in pursuit of active and passive safety at the time would like to think about information. While BMW,

Read more
16 January 2023
Information security
Microsoft's January

Microsoft's January PatchTuesday was released with fixes for a record 98 documented software vulnerabilities.

Read more
16 January 2023
Information security
The Taiwanese NAS

The Taiwanese NAS manufacturer Synology has eliminated the vulnerability of the maximum (10/10) severity in VPN

Read more
16 January 2023
Information security
Most Cacti installations

Most Cacti installations on the Internet are not fixed and are vulnerable to a critical RCE error, which is

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +5 Total articles 6750
  • +15 Comments 4227
  • +35 Users : 6047