Описание
Microsoft Azure File Sync Elevation of Privilege Vulnerability
Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.
FAQ
What actions do customers need to take to protect themselves from this vulnerability?
The vulnerability has been mitigated by a recent update to Azure File Sync's backend infrastructure and no Azure File Sync agent upgrade needed to the latest version.. Customers who are required to inspect and correct their Access Control List's have been notified through Azure Service Health Alerts under TrackingID: 4K2C-9_Z . See View service health notifications by using the Azure portal for information on how to view Azure Service Health Alerts in the Azure Portal.
Customers who have not received this Azure Service Health Alert do not need to take any action to be protected against this vulnerability.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
To successfully exploit this vulnerability, an attacker would need to gain elevated privileges enabling them to perform file operations in directories they would not normally be able to access or perform.
What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker can gain permissions to access directories in Azure File Sync servers and perform file operations they do not normally have permissions to access or perform.
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
7 High
CVSS3
Связанные уязвимости
Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.
Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.
Уязвимость службы синхронизации данных Microsoft Azure File Sync, связанная с недостатками контроля доступа, позволяющая нарушителю повысить свои привилегии
EPSS
7 High
CVSS3