Microsoft Azure fixes critical security bug that put user data at risk
A serious security flaw in Microsoft Azure which could have allowed threat actors to steal customer data and identity information, has been discovered and patched.
Orca Security cybersecurity researcher Yanir Tsarimi found a flaw in Azure Automation, a service that automates various processes, helps with configuration management, and updates, all of which run inside isolated sandboxes.
Tsarimi dubbed the flaw AutoWarp, and claims it allows threat actors to steal Azure customers’ Managed Identities authentication tokens from an internal server endpoint.
Large companies at risk
“Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” Tsarimi said.
“This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer. We discovered large companies at risk (including a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more).”
All Azure Automation customers who’ve had the Managed Identity feature enabled (which seems to be plenty, given that the feature was toggled on by default), were impacted by the flaw, Tsarimi added.
Microsoft says it fixed the issue in early December 2021 by blocking access to auth tokens to all sandboxes, except the one that had legitimate access.
But the work took Microsoft four days to complete, with the company noting that, “Automation accounts that use an Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources were not impacted.”
Although Microsoft says there was no evidence of the flaw being exploited in the wild, it still notified all of the affected companies, and outlined a set of recommended security practices.
Azure is the world’s second-largest cloud service provider, right behind Amazon’s AWS. It currently holds around 21% of the global cloud market share.
Via: BleepingComputer