Daily Tech News, Interviews, Reviews and Updates

Microsoft resolves vulnerability by updating Azure Storage SDK in its latest security patch

Microsoft has released an update for the Azure Storage SDK addressing the padding oracle vulnerabilities as part of its July 2022 Patch Tuesday. The Azure Storage SDK consists of resources for Python, .NET, or Java developers in order to build Azure applications to access the premium quality cloud storage services.

The security researchers said that the security bug has been tracked as CVE-2022-30187 which has been previously used for cipher block chaining (CBC) mode of operation to allow the attacker in the system. The SDK is known to support client-side encryption with a customer-managed key which can be stored in Azure Key Vault. However,  during the attacks SDK released CBC mode for encryption to “decrypt data on the client side and disclose the content of the file or blob.”

Microsoft said that the attackers used to look for the issues related to writing access to the blob and decryption failures. They said, “The attacker would need to perform 128 attempts per byte of plain text to decrypt blob contents. We view putting this combination of qualifiers together for an attack to be rare.”

The tech giant said that the client-side encryption has helped the consumers to encrypt their data on the customer-managed key maintained by Azure Key Vault or another key store such as Azure Storage. As the tech giant released the new updates for Azure Storage SDK, the vulnerability has been mitigated considerably. The new version has also let the customers read and write data that has been encrypted with the previous SDK version.

The company also added that the client should migrate previously encrypted data to the new client-side encryption version by downloading, re-encrypting, and uploading it.  The company has also credited Google for disclosing the vulnerability for the betterment of the system.

Get real time updates directly on you device, subscribe now.



You might also like