"The directory for the on-prem version of WAC was not write-protected, allowing attackers to drop malicious software alongside WAC, posing a significant risk to users."
"Both versions of WAC rely on a check-access token and a proof of possession (POP) token, but VMs do not validate all fields in the POP token, creating opportunities for exploitation."
"The researchers believe their findings should alarm organizations using hybrid clouds, as the discovered flaws enable attackers to leverage on-prem WAC to target Azure resources and vice versa."
Israeli researchers identified multiple vulnerabilities in Microsoft's Windows Admin Center (WAC) that pose risks to hybrid cloud environments. They reported four CVEs related to WAC, which Microsoft has since patched. The flaws allow potential attackers to exploit both on-prem and Azure-hosted versions of WAC. The researchers emphasized that these vulnerabilities could enable attacks across hybrid cloud boundaries, highlighting a lack of awareness among organizations regarding the security of their hybrid management planes.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]