Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery (ASR) and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend customers update to the latest version of ASR at https://aka.ms/upgrade-to-9.49 to remain secure.
Microsoft is not aware of any exploitation of these vulnerabilities, which only impact replication capabilities, not customer workloads. There is also no risk of cross-tenant data exposure since this is an on-premises offering.
In addition, these CVEs are contingent on an attacker compromising legitimate credentials in your ASR on-premises environment. If you believe you are impacted by this set of vulnerabilities, please raise a support case at aka.ms/azsupt for assistance.
For more detailed information on these CVEs, please see the Additional References section below.
The following types of CVEs are included in today’s fixes:
- SQL Injection (SQLi): The primary category of remediated CVEs is SQLi vulnerabilities that could result in an Elevation of Privilege (EoP). To leverage these vulnerabilities, an attacker requires administrative credentials for an ASR-protected VM. We are continuing to improve input sanitization to ensure ASR is hardened against similar vectors.
- Elevation of Privilege (EoP): The second category includes EoP vectors unrelated to SQLi whereby a normal user can elevate their privileges. One of these is CVE-2022-33675, which was disclosed by one of our research partners today and specifically affects the ASR Process Server component. This component is only used in VMWare to Azure disaster recovery scenarios. To leverage this specific vulnerability, an attacker first requires standard user credentials for the system running ASR Process Server.
- Remote Code Execution (RCE): The third category is RCE vulnerabilities affecting ASR appliances. To leverage these vulnerabilities, an attacker requires administrative credentials for an ASR-protected VM in order to execute arbitrary code on ASR appliances under certain conditions.
To recap, these vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend updating to the latest version of ASR at https://aka.ms/upgrade-to-9.49 to remain secure.
We would like to thank the researcher community who reported these vulnerabilities and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.