Microsoft fixed a bug in the Azure Automation service that could allow one account owner to access another customer’s account using the same service.
Azure Automation allows customers to automate cloud management tasks or tasks, update Windows and Linux systems, and automate other repetitive tasks.
According to security firm OrcaThe bug, which it reported to Microsoft on December 6, allows a potential attacker to the service “to have full control over the resources and data of a targeted account, subject to the user’s permissions.” account.”
SEE: What is Cloud computing? Everything you need to know about the cloud explained
Orca researcher Yanir Tsarimi said the vulnerability he found allowed him to interact with an internal Azure server that manages the sandboxes of other customers.
Tasrimi explains: “We managed to get authentication tokens for other customer accounts through that server. Someone with bad intentions could repeatedly obtain tokens and with each token. alert, extending the attack to more Azure customers.”
Microsoft clarified that only Azure Automation accounts used Managed Identity token for authorization and a Azure Sandbox for job and execution runtimes have been revealed.
However, Orca also notes that the Managed Identity feature in the Automation account is enabled by default.
Microsoft says it has found no evidence that the token has been misused and has notified customers with affected Automation accounts.
According to Orca, on December 7, it discovered several large companies potentially at risk, including “a global telecommunications company, two car manufacturers, a banking consortium, four major accounting firms and more.”
Microsoft explains that a Azure Automation Jobs can get Managed Identities tokens to access Azure resources. The access scope of the token is defined in Automated Account Managed Identity.
“Due to a security vulnerability, a user running an automation job in Azure Sandbox may have obtained Managed Identity tokens of other automation jobs, allowing access to resources within Automation Account’s Managed Identity,” Microsoft Security Response Center (MSRC) Notes.
Azure Automation accounts that use another Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources are not affected.
Microsoft mitigated the issue on December 10th by blocking access to Managed Identities tokens for all sandbox environments except those with legitimate access, MSRC explained.
