An improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

** PSIRT Advisories**

**FortiOS & FortiProxy - Anti brute-force bypass in administrative interface**

**Summary**

An improper restriction of excessive authentication attempts vulnerability \[CWE-307\] in FortiOS & FortiProxy administrative interface may allow an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

**Affected Products**

FortiProxy version 7.2.0 through 7.2.1  
FortiProxy version 7.0.0 through 7.0.7  
FortiProxy 2.0 all versions  
FortiProxy 1.2 all versions  
FortiProxy 1.1 all versions  
FortiProxy 1.0 all versions  
FortiOS version 7.2.0 through 7.2.3  
FortiOS version 7.0.0 through 7.0.10  
FortiOS version 6.4.0 through 6.4.12  
FortiOS 6.2 all versions

**Solutions**

Please upgrade to FortiProxy version 7.2.2 or above  
Please upgrade to FortiProxy version 7.0.8 or above  
Please upgrade to FortiOS version 7.2.4 or above  
Please upgrade to FortiOS version 7.0.11 or above  
Please upgrade to FortiOS version 6.4.13 or above

**Acknowledgement**

Internally discovered and reported by Goutham Rukmasah from Fortinet's FortiGuard Labs .

**Timeline**

2023-03-21: Initial publication

CVE-2022-43947: Fortiguard

Apple Security Advisory 2023-04-10-3 - macOS Big Sur 11.7.6 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-3 macOS Big Sur 11.7.6macOS Big Sur 11.7.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213725.IOSurfaceAcceleratorAvailable for: macOS Big SurImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Big Sur 11.7.6 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkW2Q//bj0ZmcXsCzpQmhCc5hZ+P4cnesy9Kc4DRLofsYBtPVlR450wIjxiGqlUkpbLBWpBXaXn4EeBoqxxXB9FKXANvZVkdS+xpTLdHpdPnRMntJf3S4WiYyDr/G3coHVtHbNMbj/K/MbsRGBefVtGAueLpwwHFN5GsyvuMrp5xEl9wgQ3aMfi+x8hHXuFzxHIHyNf6OU5cBSf6R80FQcV55eOjPe9gX1B59n4ffZtaao3QqT+z++wA64eyVCVk9hSWXYsMKBNgcoyh108DHb6aYfr0G6SvcvzX2zR2zJtL0JFDNckHx/nvAws/Sd5O39oHzvS46gNcYZIHujHbemh/DsFJjgKbOd4O9oLyJeAcVjv0c5i61Qa+odERpvX2bJR8xWLlDGYIV5XmGYzxL8lksDim9hD2IOGf6P7ReARUcpahe9jaAIoj+BoFkKUMvr8iORx0752+3h+dMej1nu/1RhjmeWYawbUsH+yECu0L2GkQc0I9gFg0Dq21OFlHEfB46D+XRTWYWkM6l9KPMNcH1PX74d86ZkuqqMzlKmsRdJz0ESepIj6RzQ3Zy5SvZ63C78RJvWGPeg/8rQFIBQE9WktUoPz5+6bU/E1nq8ExbrTXxJKvt/VseIwBTi08UfQ2oYnyyAirIkTRi9PH5pviXBu9r/AiBYSj9J88QBzrV8QXHw==Lq+b-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-3

Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5iOS 15.7.5 and iPadOS 15.7.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213723.IOSurfaceAcceleratorAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.5 and iPadOS 15.7.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJEACgkQ4RjMIDkeNxnSrA/9GfJGP3rEWjtK1bSWO5XgjPZIN8xZcYAT2zQCHNM/CREylHDWSoamyMsxsUFkc25u0ok7Ucoj5k+44WXT7bhRqK52H5PDP6b0n3KsUnhJo+up6+AlKgqgomWntzQyjYTe36nArMvHkMAy9car/kj0l6OBAFF2pVXSTU24ubQfYOtAppQp3JNU9UnqhJ/VrQCANwvjHIsdy+EximByL3+tdCTzRi1v5SC4ZntHP0vB66YwFgrkaxmWLa/EXrA9tgJr8YX6k7LUc0MMUJSkcMg7ydojFBeVgHCVdH2rJpL8w6eVrpW7MQ5wcp6XrDm23T1lckVT8WL+LL4414gBjkfOyjjntdllGiH5For84t76bUGYDs6pb69Ztv2uAMRRP8nJAgNpsP++EnEaI0U3jMoEbq0xCv64y/EenkZm3kuTwOeo7l5Q5WzTDJTsdqZMnP+tR7nhCu41UIKN8eOelp/BqRT/4wcT8fvTNLgg/oY6TUPHYydQO48+ZjiBaryn7oXcv+EaDdggkySniijiLI4Dol20J0SHUr6LHOM6AiiMWhz5ZeIawaLcLfw/oP5+U1tio3dPeeTCwjr9hY8BB/a2rPq6UkAuReAS3ZU+b1N5swaVRYaZb41bfW5rfI571XS42mjoCCGJP8TdXk8mWeZgdvAKdLCYbIW2taTPVRhtGwE==DG1t-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-1

Apple Security Advisory 2023-04-10-2 - macOS Monterey 12.6.5 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-2 macOS Monterey 12.6.5macOS Monterey 12.6.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213724.IOSurfaceAcceleratorAvailable for: macOS MontereyImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Monterey 12.6.5 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkpjhAAwMSbbqdMyODDeaYJhALWUoFTVp90hcduPLHYeYEZISeQg6taWYCrbFs6XVmtw65pEjCUOUfw7yIqkWGXy4XVwo4DhBBqxUwUNZyIv16uNEgCl9bqfQKKXyii4269rCBWhlhXyen1zv/1OSMEF5dlVVf4C55cmdx2ta+th/0jCXsd9Oe4aVgDOucDg2cItZ0Aht+2AStmeBi7wKoP0XgqLVtJcHofls7O/G0DW9YVkroxyfTizf1Fd4J+O4AjYYvA0P6Jrkm7jAI+64IlHrMukxkSiD43KNCG/PhVdHO6YLXhIm9a1ziEjSaA7EGw/bYQGI2HCmbu/gSMuXlHe4Uc8OnGdRMGceV4JHD9qjQUS9/Sh/58+oa609mLvWW+VBMJXQlWOYH4hrTlGiNSfCkQa2yqkCtpk4nfTkd51y8V1x3XvlFE8092Z2XnaEz0KzebfS5dgZiLKK0Tc0Kg8tJJi7KDRnjslCnu6Ove6aYW8Jm/Mh5NPWh6b9ZAkaynZ5kyEoLzutCa10riKH1uEQCLXLWMkiswz8vbEq8uyLKRBEuZOXxstoPEQBwgwh7nahcbCBjKH89CAj+Q541x00OHIYJNL1xmfT2bhb33Bm/U5aNhLuJqkYC9LrI6Xz+lPe9T8crHtIL//NsevkOIkWEyqMk0fbJJ6KHDkq4Aj5c7jWM==Iilf-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-2

Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1

macOS Ventura 13.3.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213721.

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 254797  
CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

macOS Ventura 13.3.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDke  
Nxlhmw/9GYfPKf/wprkK1e3/sflihNqz+/qJioE7p9oNHSvPx1b5VT2ovKMOGtsD  
8AG9qzF9DsWbFFybg7gIPAjQdb8tAiipm1xJYvyqLUpD1bJFlMIB+mRqs2OFUSgF  
0p9huSBVOGasGjcHRq9g2016OJQBr/oAA3w86Re/6Q5ST2AQCc7Y3lPcebJ+2JTp  
jSU2zfnNWg3+mRL0VMleh/ZnY2+yGce7r+uaoYzDz7MULGN8/j9nYoFUbDEbgf/y  
CnCAlJdMFuW98z3Iv7U+oUP5iF2PCzIR5nfaHcoXVaZUd0H52RLyrVKvm0iV4viq  
16SNGc7hl+Si9HDsRFN+XVvQoT4r+k5yzT78Ss3iLXYyR5XOf3Xi8sZdK0eXkDmk  
Ynrv5Y+st1M550EPlAOhsO8GAAWTsHWHOxmw76DX6kbUBaEOyYMRrKhG/AYP5Djg  
ZJlIIHsdNw99wEMUVBHCXtnWEY0aO7zaHpEl5tIr6r5xJep/idO8DjD6KpxmLDT8  
ftqB/fUloaVhTht6WMYaupXn4sG/U0228v8inculiFAKWeJ9vxyWF1doEGQNErFj  
xEUSsV10u1BjXf52Wle777lbS0ro31nv2pRWVfaT8j3dpTCZvDvUVclK5AAUPlKR  
tffpSuN9DHiPEynRftyBmi431MfXLI1CgYAC0w/rRYQ/pzc9NeI=  
=nsPp  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-2

Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1iOS 16.4.1 and iPadOS 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213720.IOSurfaceAcceleratorAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.4.1 and iPadOS 16.4.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYroACgkQ4RjMIDkeNxk/Iw/9GD1PXcIq1OFLv/N8t8bEqTUhuDqbFdQ3NLcbzmSO+XnoueqvlYvXtJr/w0wv0yAo6lxkLODuI+kVX9hjbqHZzUezCkugzvz4TXWgmQI6V7+TKXC9KA7jGxH6ZUMf1a+u+0jkFRUEUsaUHxOvScSVAmw2hlJvIlnYyK/E6O5ZJrua1cBQ2pQX2hlDIYUJaNZy3E9MlSKzZclDIszckvO1yVkfEzOkdh8laZoHQ3zN+QfKXvb9IoMmO715gaNYHoO141d0RqL5nyegu4e5lYb951o0DGph2usCrCrpFD0sSquAKNriwV5tJ/DPlrStMnktYX8iogCBT/T2/AevAmrdPOil7A/2rX5pSNRifnYdAnku8FdF2zxqKdMRt10fwI4YOl2IADKz/khPtig5fcYIwcpkXgavQ0N738hg4ugF9K18S5IdY2RSTN1SQtfRjWKus6I7MgGtdIp7MW1koB/j0bF6b5Xw9GefweUzSNvn+EZT2jVLHfiD/ILkKph/QXeiQfe3VGHOs89mHY750QmuAiAT9v24IkCfni5uvrRmApJiBB8w8Hnhq1aJa+09fxiVfPwVTrKqauI5cL2p0D9iWcjlWC8W1rJR5gO2Ge8twfgbMVCXfXmD9WhEb5Z6vSNlpJLy7xXSJTn4fnJNNgJ46lmKeU+G5I2/8xP8VWrsPks==83T6-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-1

A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.
"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and

Cloud Security / Data Security

A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.

"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new report shared with The Hacker News.

The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts.

According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key.

"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation. "Access to the shared key grants a user full access to a storage account's configuration and its data."

The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.

Specifically, should a managed identity be used to invoke the Function app, it could be abused to execute any command. This, in turn, is made possible owing to the fact that a dedicated storage account is created when deploying an Azure Function app.

"Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE)," Orca researcher Roi Nisimi said.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

In other words, by exfiltrating the access-token of the Azure Function app's assigned managed identity to a remote server, a threat actor can elevate privileges, move laterally, access new resources, and execute a reverse shell on virtual machines.

"By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims' most valuable crown jewels," Nisimi explained.

As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "plans to update how Functions client tools work with storage accounts."

"This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization," the tech giant further added.

The findings arrive weeks after Microsoft patched a misconfiguration issue impacting Azure Active Directory that made it possible to tamper with Bing search results and a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.

Play Labs on this vulnerability with SecureFlag!

1.  Unrestricted File Download
    1.  Description
    2.  Impact
    3.  Scenarios
    4.  Prevention
    5.  Testing

**Description**

Unrestricted File Downloads are a type of vulnerability that allow a malicious actor to download internal files, resulting in the potential, unintentional exposure of sensitive files, such as the configuration file, which contains credentials for the database. In milder forms, Unrestricted File Download attacks allow access to a specific directory subtree but could still enable cross-user breaches or access to crucial configuration and sensitive files.

**Impact**

The damage an attacker can cause by employing this type of attack is really only limited by the value of the exposed information. If a developer has structured their web root folder to include sensitive configuration files, for example, the fallout will, of course, be highly damaging. Furthermore, as with many other attacks that are a part of the attacker’s toolkit, the vulnerability can be used by an attacker as a stepping stone, leading to the full compromise of the system.

**Scenarios**

A classic scenario is a web application that dynamically fetches _resources_ according to a query parameter; and the available resources are stored in a particular directory within the file systems. For example, the following URL fetches the /opt/wwwdata/assets/some-file file and uses it to build the web page, possibly returning it verbatim:

    http://www.vulnerableapp.com/?pageId=some-file
    

The Directory Traversal technique is commonly used to exploit this type of vulnerability in file systems; the nickname “dot-dot-slash” is often used as an alternative label given the punctuated order of symbols (../ and ..\) that allow access to unintended resources of the server’s file system.

If no checks or sanitisation are in place, it is possible to traverse the resources directory and target any file on the file system. For example, the following fetches the sensitive /etc/passwd file on Linux and other unix-derived systems:

    http://www.vulnerableapp.com/?pageId=../../../../../etc/passwd
    

**Prevention**

If possible, developers should avoid building file path strings with user-provided input. Many functions of an application can be rewritten to deliver functionally identical behavior but in a safer manner.

If passing user-supplied input to a filesystem API is absolutely necessary, developers must ensure the following:

*   Validate the user input by strictly accepting well-known, reputable candidates against an allow list
*   If validating against an allow list isn’t possible, validation should at least ensure that only permitted content is contained in the input

As defense in depth, developers should never run a server component with root or SYSTEM privileges, as this can enable access to any file or folder, including crypto keys and the registry, to a malicious actor exploiting this vulnerability. Server components should be run using a less-privileged user with no access to critical system files.

**Testing**

Verify that user-submitted filename metadata is not used directly by system or framework filesystems and that a URL API is used to protect against path traversal.

*   **OWASP ASVS**: 12.3.1
*   **OWASP Testing Guide**: Testing for Local File Inclusion, Testing Directory Traversal File Include

**Table of contents**

*   Unrestricted File Download in .NET
*   Unrestricted File Download in Android
*   Unrestricted File Download in Go Lang
*   Unrestricted File Download in Java
*   Unrestricted File Download in NodeJS
*   Unrestricted File Download in PHP
*   Unrestricted File Download in Python
*   Unrestricted File Download in Ruby
*   Unrestricted File Download in Scala

CVE-2023-27179: Unrestricted File Download Vulnerability

In today's perilous cyber risk landscape, CISOs and CIOs must defend their organizations against relentless cyber threats, including ransomware, phishing, attacks on infrastructure, supply chain breaches, malicious insiders, and much more. Yet at the same time, security leaders are also under tremendous pressure to reduce costs and invest wisely. 
One of the most effective ways for CISOs and

In today's perilous cyber risk landscape, CISOs and CIOs must defend their organizations against relentless cyber threats, including ransomware, phishing, attacks on infrastructure, supply chain breaches, malicious insiders, and much more. Yet at the same time, security leaders are also under tremendous pressure to reduce costs and invest wisely.

One of the most effective ways for CISOs and CIOs to make the best use of their limited resources to protect their organizations is by conducting a cyber risk assessment. A comprehensive cyber risk assessment can help:

*   Identify vulnerabilities and threats
*   Prioritize security investments
*   Assess cybersecurity maturity
*   Communicate cyber risk to executives
*   Provide the basis for cyber risk quantification

A new guide by cybersecurity optimization provider CYE (**download here**) explains how this can be accomplished. The guide outlines several approaches to cyber risk assessments and describes the necessary steps that can yield solid insights and recommendations for security leaders.

****Conducting an effective cyber risk assessment****

There are various approaches to conducting a cyber risk assessment—each with its own pros and cons. All, however, involve understanding an organization's security posture and compliance requirements, collecting data on threats, vulnerabilities, and assets, modeling potential attacks, and prioritizing mitigation actions.

According to the **guide**, an effective cyber risk assessment includes these five steps:

1.  **Understand** the organization's security posture and compliance requirements
2.  **Identify** threats
3.  **Identify** vulnerabilities and map attack routes
4.  **Model** the consequences of attacks
5.  **Prioritize** mitigation options

A cyber risk assessment also creates the basis for cyber risk quantification, which puts a monetary value on the potential cost of cyber threats versus the cost of remediation. CRQ can help security experts pinpoint which vulnerabilities in the organization's threat landscape pose the greatest threat and prioritize their remediation. It also helps CISOs communicate the cost of cyber risk to management and justify security budgets.

****Creating a cybersecurity roadmap****

Conducting a cyber risk assessment is only the first step. The insights and recommendations that are yielded from the assessment can set the stage for creating a roadmap for how the organization's cyber posture will be strengthened in stages. Then the team can track, measure, and quantify cyber resilience over time. The assessment should also be revisited periodically to address any emerging threats, changes to the business, and changes to the organization's technologies, IT architecture, and security controls.

To effectively assess, quantify, and mitigate cyber risk, organizations should be sure to have the right tools and platforms in place, as well as dedicated professional guidance and advice provided by established cybersecurity experts.

Want to learn more about how to strengthen your security posture and optimize security investments by assessing and prioritizing cyber risk? **Download the guide here**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

[eBook] A Step-by-Step Guide to Cyber Risk Assessment

Summary Summary Azure provides developers and security operations staff a wide array of configurable security options to meet organizational needs. Throughout the software development lifecycle, it is important for customers to understand the shared responsibility model, as well as be familiar with various security best practices. This is particularly important in deploying Azure Functions and in provisioning Azure Role Based Access Control as customers are responsible for configuring and managing applications, identity, and data.

**Summary Summary**

Azure provides developers and security operations staff a wide array of configurable security options to meet organizational needs. Throughout the software development lifecycle, it is important for customers to understand the shared responsibility model, as well as be familiar with various security best practices. This is particularly important in deploying Azure Functions and in provisioning Azure Role Based Access Control as customers are responsible for configuring and managing applications, identity, and data. It is possible for customers to grant overly broad permissions. When this happens, there is a risk that these permissions could be abused to gain access to additional resources within a customer’s tenant. One such issue was recently reported by Orca Security and investigated by the Microsoft Security Response Center who determined it was not a security issue. However, the situation warranted discussion and improvement to help customers more effectively deploy environments with least privilege and defense-in-depth to be more resilient against attackers.

As part of ongoing experience improvements, the Azure Functions team plans to update how Functions client tools work with storage accounts. This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization.  

Additionally, customers should review the guidance below to ensure their environments are configured to their organizational needs with least privilege.

**Azure Functions and Azure Storage Authorization In-Depth Azure Functions and Azure Storage Authorization In-Depth**

Azure Functions uses storage for several purposes. The AzureWebJobsStorage connection is used for general runtime behaviors, such as handling trigger checkpointing data and distributed lock management. Azure Functions code may be stored in the account specified by the AzureWebJobsStorage connection, but this depends on the deployment method selected. This is not the default for most setups, and Functions offers multiple deployment options for application code, including referencing content stored in a different blob store. The AzureWebJobsStorage connection uses a storage account connection string by default, though there is a preview of identity-based connections for AzureWebJobsStorage.  

In addition to leveraging the default storage account connection string, customers may want to provision access to users within their environment. Per the shared responsibility model, access management is a responsibility of the cloud customer and an important aspect of creating role assignments is the selection of the correct scope of assignment adhering to the security principle of least privilege. Apps and users should not be given broader access than is strictly necessary. Azure also offers features for granting bounded access through privileged identity management.  

By default, the only individuals that have access to listKeys is the individual that created the storage account and any inherited owners. Microsoft recommends providing granular access to users, using built-in roles such as Storage Blob Data Reader or Storage File Data SMB Share Reader, to grant permission to read storage account contents. Neither of these roles include permission to list storage account keys or otherwise modify content. Storage account keys provide full access to your storage account’s configuration and all its data, and like any access credential should be carefully protected. Other built-in roles may grant the Microsoft.Storage/storageAccounts/listKeys/action permission that is excessive for users only requiring read access.

Should excessive privileges be granted and subsequently used, customers could still gain insights into the data plane actions taken against that storage account through Azure Monitor. The Activity Log describes control plane operations, and can be used to monitor which users have accessed the shared storage keys. Activity logs are enabled by default for all storage accounts.  Customers can do this by searching for “listKeys” in the storage account where their Azure Function is stored. Resource logs can also be enabled and configured in Azure Monitor to identify any modifications to the contents of the storage account.  Customers are highly encouraged to have activity logs and resource logs configured on their storage accounts and consistently review their logs for suspicious activity. You can also monitor how clients authorize access to storage accounts, as well as identify clients that are authorizing their storage requests using shared keys or shared access signature (SAS).

As part of ongoing experience improvements, the Azure Functions team plans to update how Functions client tools work with storage accounts. This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage.  Going forward, Azure Functions clients will also help users enable ‘StorageWrite’ resource logging for storage accounts created in those experiences. Additionally, we have updated the Azure Functions documentation to better clarify best practices to configure storage account access for users with least privileges.

Azure Storage also continues to invest in security, including comprehensive support for identity-based authorization. Blob Storage offers full support for role-based access control (RBAC), including role-assignment conditions with Azure ABAC. We provide a comprehensive set of built-in roles to easily limit access with minimum privileges. Azure Files now includes support for Azure AD Kerberos over SMB and is adding support for OAuth over REST. This will also enable support for identity-based authorization for accessing Files in the Azure portal. We’re also planning for guidance and support so that new storage accounts can have shared key and shared access signature (SAS) authorization disabled by default  to encourage use of role-based access. In the interim, organizations can enforce the use of identity-based authorization for Storage using Azure Policy.

Microsoft Defender for Cloud (MDC) also provides enhanced monitoring for Storage accounts, to include automatic discovery of sensitive data to enrich security alerts,  malware scanning, and detections for unusual access patterns, use of compromised authentication tokens, and data exfiltration.

**Recommended Actions for Customers Recommended Actions for Customers**

To minimize the overall risk of abuse, we recommend that customers employ the following practices regarding user access to storage accounts:

1.  Review the permissions of users to ensure least-privilege access to the storage account. Furthermore, you can limit the permission grants to the minimum scope required (ex. Storage account or resource group).
    
2.  Monitor Activity Log for access to account keys
    
3.  Enable StorageWrite resource logs for storage accounts that host Azure Functions along with a lifecycle policy to manage retention of the logs for a duration of your choice.
    
4.  When storing application code in blob storage, consider using a storage account dedicated to that purpose so that you can limit access.
    
5.  Enable MDC for storage accounts
    

In addition to the above recommended actions, we have made updates to existing documentation. Customers are encouraged to review the updated documents:

Storage considerations for Azure Functions

Securing Azure Functions

**Conclusion Conclusion**

In summary, we appreciate the opportunity to investigate the findings reported by Orca Security. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. Researchers who report security issues to the Microsoft Security Response Center are also eligible to participate in Microsoft’s Bug Bounty Program.

Orca’s report has highlighted opportunities for us to continue to improve to help customers correctly configure their environments with least privilege. The risk of these scenarios can be minimized by applying proper RBAC administration and ensuring that users are delegated the lowest level of permissions necessary. Using identity-based connections for AzureWebJobsStorage, currently in preview, prevents use of over-privileged permissions. Azure Storage also offers robust monitoring to detect unusual or unauthorized changes on a storage resource. At the same time, we believe that our guidance for customers around properly configuring user privileges for storage account access can be clarified further, so we have made updates to our existing documentation to reflect that. As always, we encourage our customers to follow security best practices to limit their exposure to vulnerabilities and other types of security events.

Tag

#ios