Microsoft fixes dozens of Azure Site Recovery privilege escalation bugs

Microsoft has fixed 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution.

The Azure Site Recovery service is a disaster recovery service that will automatically fail-over workloads to secondary locations when a problem is detected.

As part of the July 2022 Patch Tuesday, Microsoft fixed 84 flaws, with Azure Site Recovery vulnerability accounting for more than a third of the bugs fixed today.

Of the thirty-two vulnerabilities fixed in Azure Site Recovery, two allow remote code execution, and a whopping thirty vulnerabilities allow for elevation of privileges.

In an advisory released today, Microsoft states that SQL injection vulnerabilities caused most of the privilege escalation bugs.

To perform the attack, a threat actor can create a custom, malicious DLL using the same name as a regular DLL loaded by the Azure Site Recovery application.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:
GET STARTED TODAY

Tell us About your Needs
Get an Answer the Same Business Day

Got an urgent request? Call us at 1-877-805-7475 or Book a meeting.

What happens next:

  • We reach out to learn about your objectives
  • We work together to define your project’s scope
  • You get an all-inclusive, no engagement proposal
PCI-DSS
This field is for validation purposes and should be left unchanged.

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

2024 EDITION

Penetration Testing Buyer's Guide

Everything You Need to Know

Gain full confidence in your future cybersecurity assessments by learning to plan, scope and execute projects.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.