A serious security flaw in Microsoft Azure which could have allowed threat actors to steal customer data and identity information, has been discovered and patched.
Orca Security cybersecurity researcher Yanir Tsarimi found a flaw in Azure Automation, a service that automates various processes, helps with configuration management, and updates, all of which run inside isolated sandboxes.
Tsarimi dubbed the flaw AutoWarp, and claims it allows threat actors to steal Azure customers’ Managed Identities authentication tokens from an internal server endpoint.
Large companies at risk
“Someone with malicious intentions could've continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” Tsarimi said.
“This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer. We discovered large companies at risk (including a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more).”
All Azure Automation customers who’ve had the Managed Identity feature enabled (which seems to be plenty, given that the feature was toggled on by default), were impacted by the flaw, Tsarimi added.
Microsoft says it fixed the issue in early December 2021 by blocking access to auth tokens to all sandboxes, except the one that had legitimate access.
But the work took Microsoft four days to complete, with the company noting that, “Automation accounts that use an Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources were not impacted.”
Although Microsoft says there was no evidence of the flaw being exploited in the wild, it still notified all of the affected companies, and outlined a set of recommended security practices.
Azure is the world’s second-largest cloud service provider, right behind Amazon’s AWS. It currently holds around 21% of the global cloud market share.
Via: BleepingComputer
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba