“Secret” Agent Exposes Azure Customers To RCE

This week, again Azure makes the news with cloud security issues. Following the linked article, Microsoft secretly installed a “management agent” on customer VMs. As if the act itself was not severe enough, the agent is reachable from the network.

Source: “Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog

And, if this does not seem bad enough, the said agent will an attacker root access when the authentication header is missing:

When working with the cloud, do your threat modelling before choosing a vendor.

Is anyone here using Azure?

Are you using Azure? A newly published Hyper-V bug could possibly crash ‘big portions of Azure cloud infrastructure’.

Security researchers have posted proof of concept code that exploits a recently patched vulnerability in Microsoft’s Hyper-V hypervisor. The bug enables code in the guest to crash the host, and in some circumstances compromise the host’s security.

The Register

Source: Hyper-V bug that could crash ‘big portions of Azure cloud infrastructure’: Code published