Details have been disclosed about a now-addressed critical vulnerability in Microsoft’s Azure Automation service that could have permitted unauthorized access to other Azure customer accounts and take over control.
“This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer,” Orca Security researcher Yanir Tsarimi said in a report published Monday.
The flaw potentially put several entities at risk, including an unnamed telecommunications company, two car manufacturers, a banking conglomerate, and big four accounting firms, among others, the Israeli cloud infrastructure security company added.
The Azure Automation service allows for process automation, configuration management, and handling operating system updates within a defined maintenance window across Azure and non-Azure environments.
Dubbed “AutoWarp,” the issue affects all users of the Azure Automation service that have the Managed Identity feature turned on. This feature is disabled by default. Following responsible disclosure on December 6, 2021, the issue was remediated in a patch pushed on December 10, 2021.
“Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed,” Microsoft Security Response Center (MSRC) said in a statement. Microsoft did not find any evidence that tokens were being misused. “
While automation jobs should be protected by a virtual machine sandbox, they can still be accessed by code that runs on another virtual machine. However, this vulnerability allowed a malicious actor to execute a job inside an Azure Sandbox and obtain authentication tokens for other jobs.
“Someone could have malicious intents and continuously grabbed tokens. With each token, the attack on more Azure customers was widened,” Tsarimi observed.
The disclosure comes nearly two months after Amazon Web Services (AWS) fixed two vulnerabilities – dubbed Superglue and BreakingFormation – in the AWS Glue and CloudFormation services that could have been abused to access data of other AWS Glue customers and leak sensitive files.
In December 2021, Microsoft also resolved another security weakness in the Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017.
