Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Mitigates Azure Site Recovery Vulnerabilities

Summary: Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery (ASR) and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend customers update to the … Microsoft Mitigates Azure Site Recovery Vulnerabilities Read More »

msrc-blog
#sql#vulnerability#ios#microsoft#git#rce#vmware

Summary:

Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery (ASR) and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend customers update to the latest version of ASR at https://aka.ms/upgrade-to-9.49 to remain secure.

Microsoft is not aware of any exploitation of these vulnerabilities, which only impact replication capabilities, not customer workloads. There is also no risk of cross-tenant data exposure since this is an on-premises offering.

In addition, these CVEs are contingent on an attacker compromising legitimate credentials in your ASR on-premises environment. If you believe you are impacted by this set of vulnerabilities, please raise a support case at aka.ms/azsupt for assistance.

For more detailed information on these CVEs, please see the Additional References section below.

Vulnerability Impact:

The following types of CVEs are included in today’s fixes:

  • SQL Injection (SQLi): The primary category of remediated CVEs is SQLi vulnerabilities that could result in an Elevation of Privilege (EoP). To leverage these vulnerabilities, an attacker requires administrative credentials for an ASR-protected VM. We are continuing to improve input sanitization to ensure ASR is hardened against similar vectors.

  • Elevation of Privilege (EoP): The second category includes EoP vectors unrelated to SQLi whereby a normal user can elevate their privileges. One of these is CVE-2022-33675, which was disclosed by one of our research partners today and specifically affects the ASR Process Server component. This component is only used in VMWare to Azure disaster recovery scenarios. To leverage this specific vulnerability, an attacker first requires standard user credentials for the system running ASR Process Server.

  • Remote Code Execution (RCE): The third category is RCE vulnerabilities affecting ASR appliances. To leverage these vulnerabilities, an attacker requires administrative credentials for an ASR-protected VM in order to execute arbitrary code on ASR appliances under certain conditions.

Customer Action:

To recap, these vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend updating to the latest version of ASR at https://aka.ms/upgrade-to-9.49 to remain secure.

We would like to thank the researcher community who reported these vulnerabilities and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.

Additional References:

  • Upgrade to ASR 9.49 at https://aka.ms/upgrade-to-9.49
  • Visit the Security Update Guide for information about these specific CVEs
  • See the Release Notes for details about the security fixes
  • Questions? Open a support case through the Azure Portal at aka.ms/azsupt

Related news

Microsoft Patch Tuesday July 2022: propaganda report, CSRSS EoP, RPC RCE, Edge, Azure Site Recovery

Hello everyone! Microsoft has been acting weird lately. I mean the recent publication of a propaganda report about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn’t be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in […]

CVE-2022-33675

Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30181, CVE-2022-33641, CVE-2022-33642, CVE-2022-33643, CVE-2022-33650, CVE-2022-33651, CVE-2022-33652, CVE-2022-33653, CVE-2022-33654, CVE-2022-33655, CVE-2022-33656, CVE-2022-33657, CVE-2022-33658, CVE-2022-33659, CVE-2022-33660, CVE-2022-33661, CVE-2022-33662, CVE-2022-33663, CVE-2022-33664, CVE-2022-33665, CVE-2022-33666, CVE-2022-33667, CVE-2022-33668, CVE-2022-33669, CVE-2022-33671, CVE-2022-33672, CVE-2022-33673, CVE-2022-33674, CVE-2022-33677.

CVE-2022-33675

Azure Site Recovery Elevation of Privilege Vulnerability

Microsoft Mitigates Azure Site Recovery Vulnerabilities

Summary Summary Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery (ASR) and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release.

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default