A „by-design flaw“ uncovered in Microsoft Azure might be exploited by attackers to realize entry to storage accounts, transfer laterally within the surroundings, and even execute distant code.
„It’s attainable to abuse and leverage Microsoft Storage Accounts by manipulating Azure Features to steal access-tokens of upper privilege identities, transfer laterally, probably entry important enterprise property, and execute distant code (RCE),“ Orca mentioned in a brand new report shared with The Hacker Information.
The exploitation path that underpins this assault is a mechanism known as Shared Key authorization, which is enabled by default on storage accounts.
In line with Microsoft, Azure generates two 512-bit storage account entry keys when making a storage account. These keys can be utilized to authorize entry to knowledge through Shared Key authorization, or through SAS tokens which can be signed with the shared key.
„Storage account entry keys present full entry to the configuration of a storage account, in addition to the info,“ Microsoft notes in its documentation. „Entry to the shared key grants a person full entry to a storage account’s configuration and its knowledge.“
The cloud safety agency mentioned these entry tokens will be stolen by manipulating Azure Features, probably enabling a menace actor with entry to an account with Storage Account Contributor role to escalate privileges and take over methods.
Particularly, ought to a managed identity be used to invoke the Perform app, it might be abused to execute any command. This, in flip, is made attainable owing to the truth that a devoted storage account is created when deploying an Azure Perform app.
„As soon as an attacker locates the storage account of a Perform app that’s assigned with a robust managed identification, it might run code on its behalf and in consequence purchase a subscription privilege escalation (PE),“ Orca researcher Roi Nisimi mentioned.
In different phrases, by exfiltrating the access-token of the Azure Perform app’s assigned managed identification to a distant server, a menace actor can elevate privileges, transfer laterally, entry new assets, and execute a reverse shell on digital machines.
„By overriding perform information in storage accounts, an attacker can steal and exfiltrate a higher-privileged identification and use it to maneuver laterally, exploit and compromise victims‘ most beneficial crown jewels,“ Nisimi defined.
As mitigations, it is really helpful that organizations contemplate disabling Azure Shared Key authorization and utilizing Azure Lively Listing authentication as a substitute. In a coordinated disclosure, Microsoft said it „plans to replace how Features consumer instruments work with storage accounts.“
„This consists of modifications to higher assist eventualities utilizing identification. After identity-based connections for AzureWebJobsStorage are typically out there and the brand new experiences are validated, identification will change into the default mode for AzureWebJobsStorage, which is meant to maneuver away from shared key authorization,“ the tech large additional added.
The findings arrive weeks after Microsoft patched a misconfiguration issue impacting Azure Lively Listing that made it attainable to tamper with Bing search outcomes and a reflected XSS vulnerability in Azure Service Cloth Explorer (SFX) that would result in unauthenticated distant code execution.