Details have been disclosed about a now-addressed critical vulnerability in Microsoft’s Azure Automation service that could have permitted unauthorized access to other Azure customer accounts and take over control.
“This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer,” Orca Security researcher Yanir Tsarimi said in a report published Monday.
The flaw potentially put several entities at risk, including an unnamed telecommunications company, two car manufacturers, a banking conglomerate, and big four accounting firms, among others, the Israeli cloud infrastructure security company added.
The Azure Automation service allows for process automation, configuration management, and handling operating system updates within a defined maintenance window across Azure and non-Azure environments.
Dubbed “AutoWarp,” the issue affects all users of the Azure Automation service that have the Managed Identity feature turned on. It’s worth noting that this feature is enabled by default. Following responsible disclosure on December 6, 2021, the issue was remediated in a patch pushed on December 10, 2021.
“Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed,” Microsoft Security Response Center (MSRC) said in a statement. “Microsoft has not detected evidence of misuse of tokens.”
While the automation jobs are designed to be isolated by means of a sandbox to prevent access by other code running on the same virtual machine, the vulnerability made it possible for a bad actor executing a job in an Azure Sandbox to obtain the authentication tokens of other automation jobs.
“Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” Tsarimi noted.
The disclosure comes nearly two months after Amazon Web Services (AWS) fixed two vulnerabilities – dubbed Superglue and BreakingFormation – in the AWS Glue and CloudFormation services that could have been abused to access data of other AWS Glue customers and leak sensitive files.
In December 2021, Microsoft also resolved another security weakness in the Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017.