Azure Storage Library Information Disclosure Vulnerability

Vulnerability

Overview

The Azure Storage Encryption library (the Java SDK and other language SDKs) contains a vulnerability that enables a CBC padding oracle attack [2]. This class of attack, similar to CVE-2020-8911, allows an attacker to recover plaintext from encrypted data by observing whether decryption succeeds or fails. The library currently only supports AES-CBC as the encryption mode and does not compute a Message Authentication Code (MAC) on the encrypted data, which leaves the ciphertext open to manipulation [2].

Exploitation

Prerequisites and Method

To exploit CVE-2022-30187, an attacker must have write access to the target blob storage container and access to an endpoint that reveals decryption failures (without returning the decrypted plaintext) [2]. With these prerequisites, the attacker can send modified ciphertext to the endpoint and observe padding errors. By exploiting the structure of CBC mode and PKCS#5 padding, the attacker can recover the plaintext block by block, requiring on average 128 queries per byte of plaintext [2].

Impact

An attacker who successfully exploits this vulnerability can learn the contents of encrypted blobs stored in Azure Storage. This is an information disclosure that compromises the confidentiality of the data, even though the attacker does not know the encryption key [2]. The severity is rated as Moderate, though it poses insider risks and can circumvent controls designed to protect stored data [2].

Mitigation

Status

Microsoft released an update to the Azure Storage SDKs on July 11, 2022, and the vulnerability was publicly disclosed on July 17, 2022 [1][2]. Users should update to the latest version of the SDK. No workaround is available other than applying the patch or using a different encryption mode if supported [2].