The July 2022 Patch Tuesday cumulative update fixed dozens of serious vulnerabilities found in an Azure disaster recovery service, Microsoft has revealed.
The company recently published a detailed breakdown of the July 2022 Patch Tuesday update, which addressed a total of 84 vulnerabilities, including in the Azure Site Recovery, a disaster-recovery tool that automatically switches workloads to a different location in case of an emergency, and which has had 32 vulnerabilities patched.
Of those 32, two allowed potential remote code execution, while the remaining 30 allowed threat actors to elevate their privileges.
Running malicious DLLs
Most of the privilege escalation flaws were caused by SQL injection vulnerabilities, Microsoft explained, adding that there were DLL hijacking vulnerabilities discovered, as well.
The latter, discovered by vulnerability management experts Tenable, is tracked as CVE-2022-33675, and comes with a severity score of 7.8.
As reported by BleepingComputer, these types of vulnerabilities are caused by insecure permissions on folders that the OS searches, and loads DLLs, when launching an app.
In theory, the attacker can create a malicious DLL with the same name as the legitimate DLL the Azure Site Recovery application runs, and have the app run it.
“DLL hijacking is quite an antiquated technique that we don’t often come across these days. When we do, the impact is often quite limited due to a lack of security boundaries being crossed,” Tenable explained in a blog post.
“In this case, however, we were able to cross a clear security boundary and demonstrated the ability to escalate a user to SYSTEM level permissions, which shows the growing trend of even dated techniques finding a new home in the cloud space due to added complexities in these sorts of environments.”
Once the attackers gain elevated privileges on an endpoint (opens in new tab), they can change important OS settings, allowing them to extract sensitive files, deploy malware and ransomware, or spy on the users.
