Its long been a classic to abuse accidentally exposed file-descriptors through `/proc/self/fds` to break out of sandboxes, so its kinda fun to see a similar sort of bug impacting Docker. and enabling a container break-out either at run-time or during build time.
Vulnerabilities tagged "cloud"
Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
Deep within Buildkit there is access to the privileged GRPC API that could be abused to break out of a container during build-time.
This vulnerability impacts kubernetes setups using NGINX as the ingress controller via [ingress-nginx](https://github.com/kubernetes/ingress-nginx). At first I wanted to blame this one on block-listing when they should have used an allow-list, but its not quite that, but it is basically just a missed edge-case that allows for code execution.
Orca Security presents a privilege escalation method in Azure environments, its nothing to crazy, but atleast worth taking note of.the first concept to understand are Azure Storage Account keys, when you first create a storage account, by default Azure generates a couple 512-bit storage account access keys that can be used to access the account...
A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.
At its core, we have a simple mistake that can be made pretty easily on all of the cloud platforms though this post focuses in on Azure App Services and Azure Functions.Being able to easily add authentication to your apps on either is nice, but they can easily be misconfigured...
Two CloudTrail logging vulnerabilities have been identified, involving endpoints/services that fail to log properly.
A bit of research on leaking access tokens from OAuth2/OIDC flows, in all cases you already need a cross-site scripting vulnerability to exist on the host recieving the callback, it does present an interesting case of escalating two often unimportant issues, a self-XSS and a Login CSRF, into an account takeover though.
Cool, yet simple finding from the DataDog security team where calls to an undocument `iamadmin` service would also not appear in CloudTrail logs but could reproduce the functionality of several standard IAM service methods.