This month’s extensive Patch Tuesday release from Microsoft contained solutions for a number of high-severity flaws that had an impact on the Azure Site Recovery service.
Site recovery, which guarantees that both applications and workloads continue to run on a secondary location, and data backup services are only two examples of the solutions that make up the Azure Site Recovery package for maintaining business continuity during outages. A DLL hijacking problem in the Azure Site Recovery process server component, which may let any user elevate privileges to those of SYSTEM, is one vulnerability that Microsoft particularly mentions.
The problem, designated CVE-2022-33675, was caused by improper permissions for the executable directory of the service, which permitted any user to add new files. The service started from this directory and reportedly runs automatically, according to Tenable, the business credited with finding the issue.