Microsoft has patched a flaw in the Azure Automation service that may have enabled intruders to take full control of data belonging to other Azure users. Process automation, configuration management, and update management are all available through Microsoft Azure Automation Service, with each scheduled job executing in its own isolated sandbox for each Azure client.
An adversary may take other Azure customers’ Managed Identities authentication tokens from an internal server that administers other users’ sandboxes, thanks to the vulnerability, called AutoWarp by Orca Security’s Cloud Security Researcher Yanir Tsarimi, who identified it. “Someone with evil intent could’ve continued to gather tokens, expanding the assault to more Azure customers with each token,” Yanir Tsarimi said.
“Depending on the permissions provided by the customer, this attack could result in complete control over the targeted account’s resources and data.” “We uncovered huge organizations at risk (including a multinational telecommunications company, two automobile manufacturers, a financial conglomerate, the Big Four accounting firms, and others).”
This issue affects Azure Automation accounts that have the Managed Identity feature activated (toggled on by default, according to Tsarimi). “Automation accounts that employ an Automation Hybrid worker for execution and/or Automation Run-As accounts for resource access were not affected,” according to Microsoft.
Four days after Tsarimi reported the security weakness to the Microsoft Security Response Center, Microsoft addressed it on December 10 by restricting access to auth tokens for all sandboxes except the one with legitimate access. The business announced the flaw yesterday, claiming that no evidence of Managed Identities tokens being misused or AutoWarp being exploited in attacks.
All Azure Automation service users who were affected were alerted, and Microsoft advised them to implement the security best practices described here. In December, Redmond patched another Azure flaw (dubbed NotLegit) that allowed attackers to view the source code of customers’ Azure web apps.