Microsoft fixes Oracle padding vulnerability in Azure Storage SDK

As part of its July 2022 Patch Tuesday, Microsoft released an update for the Azure Storage SDK, to address an oracle padding vulnerability in client-side encryption.

The Azure Storage SDK includes all the necessary resources that Python, .NET, or Java developers need to build Azure applications that leverage cloud computing resources.

The SDK supports client-side encryption with a customer-managed key that’s stored in Azure Key Vault or another keystore. The previous version of the SDK uses Cipher Block Chaining (CBC) mode for encryption.

Tracked as CVE-2022-30187, the security bug was identified in the SDK’s previous CBC mode implementation and could allow an attacker to “decrypt client-side data and leak file or blob contents. “.

According to Microsoft, however, an attacker seeking to exploit the issue needs write access to the blob and must also observe decryption failures.

“The attacker would need to make 128 attempts per byte of plain text to decrypt the contents of the blob. We consider this combination of qualifiers together for an attack to be rare,” the tech giant notes.

Additionally, Microsoft says the impact of this vulnerability is low because only a small group of customers use this client-side encryption to “encrypt their data on the customer with a customer-managed key that is stored in Azure Key Vault or another key store”. before uploading to Azure Storage.

The vulnerability was mitigated with the release of a new version of the Azure Storage SDK Client-Side Encryption (v2), which became generally available on July 12, 2022. The new version uses AES-GCM for client-side encryption.

The tech giant recommends all customers who need a client-side encryption update to the new version, pointing out that the new version allows customers to read and write data that has been encrypted with the previous version of the SDK.

However, the company also notes that in addition to updating their code to use the new SDK and client-side encryption versions, customers should also consider migrating previously encrypted data to the new client-side encryption version by ” downloading, encrypting them again, and downloading it again.”

Microsoft also emphasizes that it is not aware of this vulnerability being exploited in any attacks, thanking Google for responsibly disclosing the vulnerability.

Related: Microsoft Patch Tuesday: 84 Windows Vulnerabilities Including Day Zero Already Exploited

Related: DLL Hijacking Flaw Fixed in Microsoft Azure Site Recovery

Related: Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Related: Azure Service Fabric Vulnerability Could Lead to Cluster Takeover

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:

Comments are closed.