"Microsoft Resolves Padding Oracle Vulnerability in Azure Storage SDK"

Microsoft has recently released an update for the Azure Storage SDK to address a padding oracle vulnerability in client-side encryption.  The Azure Storage SDK includes all of the necessary resources that Python, .NET, or Java developers need to build Azure applications that leverage cloud computing resources.  Microsoft noted that the SDK supports client-side encryption with a customer-managed key that is stored in Azure Key Vault or in a different key store.  The previous SDK release uses cipher block chaining (CBC) mode for the encryption.  The vulnerability, tracked as CVE-2022-30187, was identified in the SDK’s previous implementation of CBC mode and could allow an attacker to “decrypt data on the client side and disclose the content of the file or blob.”  Microsoft noted that an attacker looking to exploit the issue needs write access to the blob and also needs to observe decryption failures.  Microsoft stated that the attacker would need to perform 128 attempts per byte of plain text to decrypt blob contents.  Microsoft noted that the impact of this vulnerability is low, as only a small set of customers use this client-side encryption to “encrypt their data on the client with a customer-managed key that is maintained in Azure Key Vault or another key store before uploading to Azure Storage.”  The vulnerability was mitigated with the release of a new version of Azure Storage SDK client-side encryption (v2), which became generally available on July 12, 2022.  The new version uses AES-GCM for client-side encryption.  Microsoft recommends that all customers who require client-side encryption update to the newly released version, pointing out that the latest release enables customers to read and write data that has been encrypted with the previous SDK version.  Microsoft also noted that, in addition to updating their code to use the new SDK and client-side encryption versions, customers should also consider migrating previously encrypted data to the new client-side encryption version by “downloading it, reencrypting it, and uploading it again.”  Microsoft noted that it is unaware of this vulnerability being exploited in attacks, crediting Google for responsibly disclosing the vulnerability.

 

SecurityWeek reports: "Microsoft Resolves Padding Oracle Vulnerability in Azure Storage SDK"

Submitted by Anonymous on