Microsoft has acknowledged the existence of a flaw in its Azure cloud computing service that allowed users full access to other users’ accounts.
The flaw was dubbed “AutoWarp” by Orca Security, which discovered and reported it.
The vulnerability only impacted users of the Azure Automation Service. That service allows Azure users to use PowerShell or Python to write runbooks that automate many actions within Azure. “Trigger automation from ITSM, DevOps and monitoring systems to fulfil requests and ensure continuous delivery and management,” suggests Microsoft’s product info page.
The Automation Service doesn’t let just anyone initiate actions on your Azure rig: you need to link it to a managed identity that has the relevant permissions.
But as Microsoft has admitted, its service went a bit too far and “a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.”
Orca Security’s Yanir Tsarimi tested the extent of the flaw – ironically by using Azure Automation. He was able to access many tokens and quickly found it was possible to access Azure accounts belonging to “a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more.”
The good news is that Tsarimi ran those tests on December 7, 2021 – a day after he reported the flaw to Microsoft. On December 10, Microsoft fixed the flaw and started to look for other variations on the theme.
Microsoft and Orca security both revealed the flaw on March 7, along with news that the software giant “has not detected evidence of misuse of tokens.”
Microsoft has presumably also had time to ensure that Managed Identities Tokens don’t allow miscreants to get up to other forms of mischief.
The incident should be embarrassing for Microsoft, because properly isolated and secure multi-tenancy is a fundamental tenet of public cloud computing. That the identity service was left on by default also runs counter to accepted wisdom on prudent security.
It’s also the third major flaw recently found in Azure. In September 2021 the company revealed the “OHMIGOD remote code execution mess, and in December 2021 disclosed the NotLegit flaw that allowed unauthorized file downloads and was present for four years.
Microsoft has since published guidance on how to secure the Automation Service. And hopefully also similar documentation for its own staff. ®