A “by-design flaw” uncovered in Microsoft Azure might be exploited by attackers to realize entry to storage accounts, transfer laterally within the atmosphere, and even execute distant code.
“It’s potential to abuse and leverage Microsoft Storage Accounts by manipulating Azure Capabilities to steal access-tokens of upper privilege identities, transfer laterally, doubtlessly entry important enterprise property, and execute distant code (RCE),” Orca stated in a brand new report shared with The Hacker Information.
The exploitation path that underpins this assault is a mechanism referred to as Shared Key authorization, which is enabled by default on storage accounts.
In line with Microsoft, Azure generates two 512-bit storage account entry keys when making a storage account. These keys can be utilized to authorize entry to information by way of Shared Key authorization, or by way of SAS tokens which are signed with the shared key.
“Storage account entry keys present full entry to the configuration of a storage account, in addition to the information,” Microsoft notes in its documentation. “Entry to the shared key grants a person full entry to a storage account’s configuration and its information.”
The cloud safety agency stated these entry tokens might be stolen by manipulating Azure Capabilities, doubtlessly enabling a menace actor with entry to an account with Storage Account Contributor role to escalate privileges and take over programs.
Particularly, ought to a managed identity be used to invoke the Perform app, it might be abused to execute any command. This, in flip, is made potential owing to the truth that a devoted storage account is created when deploying an Azure Perform app.
“As soon as an attacker locates the storage account of a Perform app that’s assigned with a powerful managed id, it could actually run code on its behalf and in consequence purchase a subscription privilege escalation (PE),” Orca researcher Roi Nisimi stated.
In different phrases, by exfiltrating the access-token of the Azure Perform app’s assigned managed id to a distant server, a menace actor can elevate privileges, transfer laterally, entry new sources, and execute a reverse shell on digital machines.
“By overriding operate information in storage accounts, an attacker can steal and exfiltrate a higher-privileged id and use it to maneuver laterally, exploit and compromise victims’ most beneficial crown jewels,” Nisimi defined.
As mitigations, it is really helpful that organizations take into account disabling Azure Shared Key authorization and utilizing Azure Energetic Listing authentication as a substitute. In a coordinated disclosure, Microsoft said it “plans to replace how Capabilities consumer instruments work with storage accounts.”
“This contains adjustments to higher assist eventualities utilizing id. After identity-based connections for AzureWebJobsStorage are usually out there and the brand new experiences are validated, id will grow to be the default mode for AzureWebJobsStorage, which is meant to maneuver away from shared key authorization,” the tech big additional added.
The findings arrive weeks after Microsoft patched a misconfiguration issue impacting Azure Energetic Listing that made it potential to tamper with Bing search outcomes and a reflected XSS vulnerability in Azure Service Cloth Explorer (SFX) that would result in unauthenticated distant code execution.